Description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.
Published: 2026-03-06
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

TinyWeb, a Delphi-based web server, incorrectly parses HTTP header values and passes them to CGI scripts as environment variables. Because the parser does not reject dangerous control characters—such as CR, LF, and NUL—and fails to reject encoded forms (%0d, %0a, %00), an attacker can inject malformed header content that propagates into the CGI execution context. This manipulation can alter request processing, inject code or commands, and ultimately allow the execution of arbitrary code on the host running the web server. The flaw falls under several weaknesses including improper input validation and unsafe handling of environment data.

Affected Systems

The vulnerability exists in all TinyWeb releases prior to version 2.04. The affected product, TinyWeb, is distributed by the developer Maxim Masutin. Clients running any pre‑2.04 build—regardless of minor patch levels—are susceptible until they apply the patch included in 2.04 or later.

Risk and Exploitability

The CVSS score of 9.2 indicates a high‑severity threat, but the EPSS score of less than 1% suggests that active exploitation in the wild is currently unlikely. The vulnerability is reachable over the network through crafted HTTP requests, and it does not require local access or elevated privileges on the target system. The flaw is not listed in the CISA KEV catalog, but its potential for remote code execution warrants immediate attention.

Generated by OpenCVE AI on April 17, 2026 at 12:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TinyWeb to version 2.04 or later to receive the patch that removes the unsafe header handling and rejects control characters.
  • If an upgrade is not immediately possible, isolate the affected server behind a reverse proxy or firewall that sanitizes incoming header content, stripping or rejecting CR, LF, and NUL bytes before they reach the TinyWeb process.
  • Configure the web service to enforce strict TLS or authentication controls where feasible, limiting exposure to untrusted clients and reducing the attack surface for header injection.

Generated by OpenCVE AI on April 17, 2026 at 12:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Ritlabs
Ritlabs tinyweb
CPEs cpe:2.3:a:ritlabs:tinyweb:*:*:*:*:*:*:*:*
Vendors & Products Ritlabs
Ritlabs tinyweb
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Maximmasiutin
Maximmasiutin tinyweb
Vendors & Products Maximmasiutin
Maximmasiutin tinyweb

Fri, 06 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.
Title TinyWeb: HTTP Header Control Character Injection into CGI Environment
Weaknesses CWE-114
CWE-20
CWE-74
CWE-93
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L'}

Subscriptions

Maximmasiutin Tinyweb
Ritlabs Tinyweb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:10:18.974Z

Reserved: 2026-03-03T17:50:11.243Z

Link: CVE-2026-29046

cve-icon Vulnrichment

Updated: 2026-03-06T16:00:28.596Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T04:16:08.740

Modified: 2026-03-16T15:00:12.227

Link: CVE-2026-29046

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses