6 matches found
CVE-2026-28497
TinyWeb (Delphi, Win32) before version 2.03 contains an integer overflow in the string-to-integer conversion routine (_Val) that enables an unauthenticated remote attacker to bypass Content-Length checks and perform HTTP Request Smuggling. This affects servers using persistent connections (Keep-A...
CVE-2026-22781
CVE-2026-22781 applies to TinyWeb HTTP Server prior to 1.98. The flaw is an OS command injection via CGI ISINDEX-style query parameters, where the parameters are passed as command-line arguments to the CGI executable through Windows CreateProcess(). An unauthenticated remote attacker can inject W...
CVE-2026-29046
TinyWeb (Delphi, Win32) before v2.04 maps request header values into CGI environment variables (HTTP_*) and does not strictly reject dangerous control characters (CR, LF, NUL) or their encoded forms (%0d, %0a, %00). This can cause header value confusion across parser boundaries and place unsafe d...
CVE-2026-27613
CVE-2026-27613 affects TinyWeb (Delphi, Win32) versions prior to 2.01. An unauthenticated remote attacker can bypass CGI parameter security controls, with impact depending on configuration and CGI executable: possible source code disclosure or remote code execution. The issue is fixed in version ...
CVE-2026-27630
CVE-2026-27630 affects TinyWeb (Delphi, Win32) prior to version 2.02. The vulnerability is a Denial of Service via Slowloris: the server spawns an OS thread per incoming connection without concurrency limits or proper request timeouts, allowing an unauthenticated attacker to exhaust threads and m...
CVE-2026-27633
CVE-2026-27633 affects TinyWeb on Windows (Delphi; pre-2.02). Unauthenticated remote attackers can trigger a DoS by sending an HTTP POST with an extremely large Content-Length; TinyWeb allocates memory for the request body streaming it without a cap, exhausting all available memory and crashing. ...