Description
A vulnerability was determined in Zaher1307 tiny_web_server up to 8d77b1044a0ca3a5297d8726ac8aa2cf944d481b. This affects the function tiny_web_server/tiny.c of the file tiny_web_server/tiny.c of the component URL Handler. This manipulation causes out-of-bounds write. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via memory corruption
Action: Patch when available
AI Analysis

Impact

The vulnerability is an out-of-bounds write in the URL handler of Zaher1307’s tiny_web_server. A malformed URL can overwrite adjacent memory, potentially leading to memory corruption and hence remote code execution.

Affected Systems

The affected vendor is Zaher1307 and the product is tiny_web_server. The flaw exists in commits up to 8d77b1044a0ca3a5297d8726ac8aa2cf944d481b. Continuous delivery of the project means any legacy or unpatched instance may be vulnerable, but no specific patched versions have been released yet.

Risk and Exploitability

The CVSS score of 6.9 classifies it as medium severity, while the EPSS score of less than 1 % indicates a low likelihood of exploitation at present. The vulnerability can be triggered remotely through crafted URLs, and it has already been publicly disclosed. Because it is not in the KEV catalog, current threat monitoring efforts should focus on the open-source issue tracker and the project’s GitHub repository.

Generated by OpenCVE AI on April 17, 2026 at 16:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the project’s GitHub releases or commit history for a fixed version, and update tiny_web_server when a patch is released.
  • If no patch is currently available, temporarily disable the vulnerable URL handler or configure the server to serve that route only to trusted IP addresses.
  • Restrict inbound traffic to the tiny_web_server port to limit exposure while a fix is pending.

Generated by OpenCVE AI on April 17, 2026 at 16:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Zaher1307
Zaher1307 tiny Web Server
Vendors & Products Zaher1307
Zaher1307 tiny Web Server

Sun, 22 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Zaher1307 tiny_web_server up to 8d77b1044a0ca3a5297d8726ac8aa2cf944d481b. This affects the function tiny_web_server/tiny.c of the file tiny_web_server/tiny.c of the component URL Handler. This manipulation causes out-of-bounds write. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Title Zaher1307 tiny_web_server URL tiny.c out-of-bounds write
Weaknesses CWE-119
CWE-787
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Zaher1307 Tiny Web Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T19:12:30.061Z

Reserved: 2026-02-21T15:20:46.556Z

Link: CVE-2026-2940

cve-icon Vulnrichment

Updated: 2026-02-23T19:12:21.588Z

cve-icon NVD

Status : Deferred

Published: 2026-02-22T10:15:56.747

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2940

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:45:15Z

Weaknesses