CVE-2026-29046

CRITICAL EPSS 30.5%
Published Mar 6, 20263mo ago · Modified Jun 17, 20261w ago
9.2 CVSS 4.0
Critical
Find Similar
Published Mar 6, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.

CVSS Details

Base Score
9.2
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
30.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 4

CWE-114
CWE-20 Improper Input Validation Validation
CWE-74
CWE-93

Affected Products 1

VendorProductVersionRange
ritlabstinyweb* <2.04

References 2

  • github.com https://github.com/maximmasiutin/TinyWeb/commit/53aa8b6e5146491d7be57920e3fc50d7a34e4d5a
    Patch
  • github.com https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-r3gf-pg2c-m7mc
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/maximmasiutin/TinyWeb/commit/53aa8b6e5146491d7be57920e3fc50d7a34e4d5a
    Patch