CVE-2026-29046

EUVD-2026-9972

06.03.2026, 04:16

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
ritlabs	tinyweb	𝑥 < 2.04

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-r3gf-pg2c-m7mc

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://github.com/maximmasiutin/TinyWeb/commit/53aa8b6e5146491d7be57920e3fc50d7a34e4d5a

https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-r3gf-pg2c-m7mc