Tinyweb
CVE-2026-27633
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service (DoS) vulnerability via memory exhaustion. Unauthenticated remote attackers can send an HTTP POST request to the server with an exceptionally large Content-Length header (e.g., 2147483647). The server continuously allocates memory for the request body (EntityBody) while streaming the payload without enforcing any maximum limit, leading to all available memory being consumed and causing the server to crash. Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a CMaxEntityBodySize limit (set to 10MB) for the maximum size of accepted payloads. As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a Web Application Firewall (WAF) or reverse proxy (like nginx or Cloudflare) configured to explicitly limit the maximum allowed HTTP request body size (e.g., client_max_body_size in nginx).
AnalysisAI
TinyWeb versions prior to 2.02 are vulnerable to denial of service through memory exhaustion when unauthenticated attackers send HTTP POST requests with extremely large Content-Length headers, causing the server to allocate unbounded memory and crash. The vulnerability affects all organizations running vulnerable TinyWeb instances, and patch version 2.02 addresses it by implementing a 10MB maximum entity body size limit.
Technical ContextAI
Classified as CWE-400 (Uncontrolled Resource Consumption). Affects Tinyweb. TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service (DoS) vulnerability via memory exhaustion. Unauthenticated remote attackers can send an HTTP POST request to the server with an exceptionally large Content-Length header (e.g., 2147483647). The server continuously allocates memory for the request body (EntityBody) while streaming the payload without enforcing any maximum limit, leading to all available memory being con
RemediationAI
A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.
TinyWeb 1.94 and below allows unauthenticated remote attackers to cause a denial of service (Buffer Overflow) when sendi
TinyWeb HTTP Server before 1.98 has OS command injection via CGI ISINDEX query parameters. The query string is passed as
Unauthenticated command injection in TinyWeb HTTP/HTTPS server for Win32 before 2.01 allows remote attackers to execute
A security vulnerability has been detected in Ritlabs TinyWeb Server 1.94. Rated medium severity (CVSS 5.5), this vulner
Integer overflow in TinyWeb before 2.03.
TinyWeb versions prior to 2.04 fail to properly sanitize control characters and encoded sequences (CR, LF, NUL) in HTTP
TinyWeb versions prior to 2.02 lack connection limits and request timeouts, enabling unauthenticated remote attackers to
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today