Description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine (_Val) allows an unauthenticated remote attacker to bypass Content-Length restrictions and perform HTTP Request Smuggling. This can lead to unauthorized access, security filter bypass, and potential cache poisoning. The impact is critical for servers using persistent connections (Keep-Alive). This issue has been patched in version 2.03.
Published: 2026-03-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: HTTP Request Smuggling with potential unauthorized access
Action: Immediate Patch
AI Analysis

Impact

TinyWeb version 2.03 and earlier contains an integer overflow in the string-to-integer conversion routine (_Val) that allows an unauthenticated attacker to bypass Content-Length restrictions. The flaw enables HTTP Request Smuggling which can be used to gain unauthorized access, bypass security filters, and poison cache entries. The vulnerability is critical for servers that use persistent connections (Keep-Alive).

Affected Systems

The issue affects all installations of the TinyWeb web server (HTTP/HTTPS) written in Delphi for Win32, developed by maximmasiutin, specifically any deployment running a version older than 2.03.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity, while the EPSS score of less than 1% reflects a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need only network access to a vulnerable server; the exploit is remote and unauthenticated. Until patched, the flaw can be abused to redirect traffic, bypass authentication, or inject malicious content into cached responses.

Generated by OpenCVE AI on April 17, 2026 at 12:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TinyWeb to version 2.03 or later to eliminate the integer overflow in the _Val routine.
  • Disable HTTP persistent connections (Keep-Alive) to reduce the attack surface until a patch is applied.
  • Deploy network monitoring or intrusion detection to identify anomalous request patterns that may indicate HTTP Request Smuggling attempts.

Generated by OpenCVE AI on April 17, 2026 at 12:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Ritlabs
Ritlabs tinyweb
CPEs cpe:2.3:a:ritlabs:tinyweb:*:*:*:*:*:*:*:*
Vendors & Products Ritlabs
Ritlabs tinyweb
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Maximmasiutin
Maximmasiutin tinyweb
Vendors & Products Maximmasiutin
Maximmasiutin tinyweb

Fri, 06 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine (_Val) allows an unauthenticated remote attacker to bypass Content-Length restrictions and perform HTTP Request Smuggling. This can lead to unauthorized access, security filter bypass, and potential cache poisoning. The impact is critical for servers using persistent connections (Keep-Alive). This issue has been patched in version 2.03.
Title TinyWeb: Integer Overflow in `_Val` (HTTP Request Smuggling)
Weaknesses CWE-190
CWE-444
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Maximmasiutin Tinyweb
Ritlabs Tinyweb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:10:28.611Z

Reserved: 2026-02-27T20:57:47.708Z

Link: CVE-2026-28497

cve-icon Vulnrichment

Updated: 2026-03-06T16:00:30.671Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T04:16:07.990

Modified: 2026-03-16T15:37:17.303

Link: CVE-2026-28497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses