CVE-2026-22781

CRITICAL EPSS 80.0%
Published Jan 12, 20265mo ago · Modified Jun 17, 20261w ago
10.0 CVSS 4.0
Critical
Find Similar
Published Jan 12, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98.

CVSS Details

Base Score
10.0
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
80.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

Affected Products 1

VendorProductVersionRange
ritlabstinyweb* <1.98

References 3

  • github.com https://github.com/maximmasiutin/TinyWeb/commit/876b7e2887f4ea5be3e18bb2af7313f23a283c96
    Patch
  • github.com https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-m779-84h5-72q2
    Third Party Advisory
  • masiutin.net https://www.masiutin.net/tinyweb-cve-2025-cgi-command-injection.html
    Third Party Advisory

Remediation

  • github.com https://github.com/maximmasiutin/TinyWeb/commit/876b7e2887f4ea5be3e18bb2af7313f23a283c96
    Patch