Tinyweb
CVE-2026-29046
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.
AnalysisAI
TinyWeb versions prior to 2.04 fail to properly sanitize control characters and encoded sequences (CR, LF, NUL) in HTTP request headers, allowing attackers to inject malicious values into CGI environment variables and bypass parser validation. This network-accessible vulnerability enables header injection attacks that could lead to data corruption or denial of service without requiring authentication. No patch is currently available for affected deployments.
Technical ContextAI
Classified as CWE-20 (Improper Input Validation). Affects written in Delphi for Win32.. TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI ex
RemediationAI
Fixed in version 2.04..
TinyWeb 1.94 and below allows unauthenticated remote attackers to cause a denial of service (Buffer Overflow) when sendi
TinyWeb HTTP Server before 1.98 has OS command injection via CGI ISINDEX query parameters. The query string is passed as
Unauthenticated command injection in TinyWeb HTTP/HTTPS server for Win32 before 2.01 allows remote attackers to execute
A security vulnerability has been detected in Ritlabs TinyWeb Server 1.94. Rated medium severity (CVSS 5.5), this vulner
Integer overflow in TinyWeb before 2.03.
TinyWeb versions prior to 2.02 are vulnerable to denial of service through memory exhaustion when unauthenticated attack
TinyWeb versions prior to 2.02 lack connection limits and request timeouts, enabling unauthenticated remote attackers to
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today