CVE-2026-27613

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter security controls. Depending on the server configuration and the specific CGI executable in use, the impact is either source code disclosure or remote code execution (RCE). Anyone hosting CGI scripts (particularly interpreted languages like PHP) using vulnerable versions of TinyWeb is impacted. The problem has been patched in version 2.01. If upgrading is not immediately possible, ensure `STRICT_CGI_PARAMS` is enabled (it is defined by default in `define.inc`) and/or do not use CGI executables that natively accept dangerous command-line flags (such as `php-cgi.exe`). If hosting PHP, consider placing the server behind a Web Application Firewall (WAF) that explicitly blocks URL query string parameters that begin with a hyphen (`-`) or contain encoded double quotes (`%22`).

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/maximmasiutin/TinyWeb/commit/d9dbda8db49da69d2160e1c527e782b73b5ffb6b	Patch
https://github.com/maximmasiutin/TinyWeb/releases/tag/v2.01	Release Notes
https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-rfx5-fh9m-9jj9	Vendor Advisory
https://www.masiutin.net/tinyweb-cve-2026-27613.html	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ritlabs:tinyweb:*:*:*:*:*:*:*:*

History

04 Mar 2026, 03:21

Type	Values Removed	Values Added
First Time		Ritlabs tinyweb Ritlabs
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:ritlabs:tinyweb::::::::
References	~~() https://github.com/maximmasiutin/TinyWeb/commit/d9dbda8db49da69d2160e1c527e782b73b5ffb6b -~~	() https://github.com/maximmasiutin/TinyWeb/commit/d9dbda8db49da69d2160e1c527e782b73b5ffb6b - Patch
References	~~() https://github.com/maximmasiutin/TinyWeb/releases/tag/v2.01 -~~	() https://github.com/maximmasiutin/TinyWeb/releases/tag/v2.01 - Release Notes
References	~~() https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-rfx5-fh9m-9jj9 -~~	() https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-rfx5-fh9m-9jj9 - Vendor Advisory
References	~~() https://www.masiutin.net/tinyweb-cve-2026-27613.html -~~	() https://www.masiutin.net/tinyweb-cve-2026-27613.html - Third Party Advisory

27 Feb 2026, 14:06

Type	Values Removed	Values Added
Summary		(es) TinyWeb es un servidor web (HTTP, HTTPS) escrito en Delphi para Win32. Una vulnerabilidad en versiones anteriores a la 2.01 permite a atacantes remotos no autenticados eludir los controles de seguridad de parámetros CGI del servidor web. Dependiendo de la configuración del servidor y del ejecutable CGI específico en uso, el impacto es la divulgación de código fuente o la ejecución remota de código (RCE). Cualquiera que aloje scripts CGI (particularmente lenguajes interpretados como PHP) usando versiones vulnerables de TinyWeb está afectado. El problema ha sido parcheado en la versión 2.01. Si la actualización no es posible de inmediato, asegúrese de que `STRICT_CGI_PARAMS` esté habilitado (está definido por defecto en `define.inc`) y/o no utilice ejecutables CGI que acepten de forma nativa indicadores de línea de comandos peligrosos (como `php-cgi.exe`). Si aloja PHP, considere colocar el servidor detrás de un cortafuegos de aplicaciones web (WAF) que bloquee explícitamente los parámetros de cadena de consulta de URL que comienzan con un guion (`-`) o contienen comillas dobles codificadas (`%22`).

25 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-25 23:16

Updated : 2026-03-04 03:21

NVD link : CVE-2026-27613

Mitre link : CVE-2026-27613

CVE.ORG link : CVE-2026-27613

JSON object : View

Products Affected

ritlabs

tinyweb

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

9.8 /10