Tinyweb Security Vulnerabilities and Issues — Tinyweb CVE List

RitlabsTinyweb

8 matches found

CVE•added 2024/05/10 4:24 p.m.•76 views

CVE-2024-34199

TinyWeb 1.94 and earlier are affected by an unauthenticated remote DoS due to a buffer overflow when oversized elements appear in the request line. The root cause is not explicitly detailed beyond the described buffer overflow in the request line, and the exploitation is network-based with no aut...

8.6CVSS7AI score0.01226EPSS

CVE•added 2024/05/22 10:31 a.m.•49 views

CVE-2024-5193

CVE-2024-5193 affects Ritlabs TinyWeb Server 1.94. The vulnerability arises in the Request Handler where crafting input containing %0D%0A enables CRLF injection. It can be exploited remotely, and public disclosures exist. Upgrading to TinyWeb Server 1.99 mitigates the issue; the patch identifier ...

6.9CVSS5.7AI score0.00669EPSS

CVE•added 2026/03/06 2:51 a.m.•22 views

CVE-2026-28497

TinyWeb (Delphi, Win32) before version 2.03 contains an integer overflow in the string-to-integer conversion routine (_Val) that enables an unauthenticated remote attacker to bypass Content-Length checks and perform HTTP Request Smuggling. This affects servers using persistent connections (Keep-A...

9.3CVSS6AI score0.00467EPSS

CVE•added 2026/01/12 6:23 p.m.•18 views

CVE-2026-22781

CVE-2026-22781 applies to TinyWeb HTTP Server prior to 1.98. The flaw is an OS command injection via CGI ISINDEX-style query parameters, where the parameters are passed as command-line arguments to the CGI executable through Windows CreateProcess(). An unauthenticated remote attacker can inject W...

10CVSS7.8AI score0.02174EPSS

CVE•added 2026/02/25 10:58 p.m.•14 views

CVE-2026-27613

CVE-2026-27613 affects TinyWeb (Delphi, Win32) versions prior to 2.01. An unauthenticated remote attacker can bypass CGI parameter security controls, with impact depending on configuration and CGI executable: possible source code disclosure or remote code execution. The issue is fixed in version ...

10CVSS6.4AI score0.00748EPSS

CVE•added 2026/02/25 11:7 p.m.•13 views

CVE-2026-27633

CVE-2026-27633 affects TinyWeb on Windows (Delphi; pre-2.02). Unauthenticated remote attackers can trigger a DoS by sending an HTTP POST with an extremely large Content-Length; TinyWeb allocates memory for the request body streaming it without a cap, exhausting all available memory and crashing. ...

8.7CVSS5.7AI score0.00436EPSS

CVE•added 2026/02/25 11:5 p.m.•12 views

CVE-2026-27630

CVE-2026-27630 affects TinyWeb (Delphi, Win32) prior to version 2.02. The vulnerability is a Denial of Service via Slowloris: the server spawns an OS thread per incoming connection without concurrency limits or proper request timeouts, allowing an unauthenticated attacker to exhaust threads and m...

8.7CVSS5.8AI score0.00436EPSS

CVE•added 2026/03/06 2:54 a.m.•12 views

CVE-2026-29046

TinyWeb (Delphi, Win32) before v2.04 maps request header values into CGI environment variables (HTTP_*) and does not strictly reject dangerous control characters (CR, LF, NUL) or their encoded forms (%0d, %0a, %00). This can cause header value confusion across parser boundaries and place unsafe d...

9.2CVSS6AI score0.00387EPSS