CVE-2026-27633

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service (DoS) vulnerability via memory exhaustion. Unauthenticated remote attackers can send an HTTP POST request to the server with an exceptionally large `Content-Length` header (e.g., `2147483647`). The server continuously allocates memory for the request body (`EntityBody`) while streaming the payload without enforcing any maximum limit, leading to all available memory being consumed and causing the server to crash. Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxEntityBodySize` limit (set to 10MB) for the maximum size of accepted payloads. As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a Web Application Firewall (WAF) or reverse proxy (like nginx or Cloudflare) configured to explicitly limit the maximum allowed HTTP request body size (e.g., `client_max_body_size` in nginx).

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/maximmasiutin/TinyWeb/commit/1cb5a1d	Patch
https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-992w-gmcm-fmgr	Vendor Advisory
https://www.masiutin.net/tinyweb-cve-2026-27633.html	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ritlabs:tinyweb:*:*:*:*:*:*:*:*

History

28 Feb 2026, 01:00

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Ritlabs tinyweb Ritlabs
CPE		cpe:2.3:a:ritlabs:tinyweb::::::::
References	~~() https://github.com/maximmasiutin/TinyWeb/commit/1cb5a1d -~~	() https://github.com/maximmasiutin/TinyWeb/commit/1cb5a1d - Patch
References	~~() https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-992w-gmcm-fmgr -~~	() https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-992w-gmcm-fmgr - Vendor Advisory
References	~~() https://www.masiutin.net/tinyweb-cve-2026-27633.html -~~	() https://www.masiutin.net/tinyweb-cve-2026-27633.html - Third Party Advisory
CWE		CWE-770

27 Feb 2026, 14:06

Type	Values Removed	Values Added
Summary		(es) TinyWeb es un servidor web (HTTP, HTTPS) escrito en Delphi para Win32. Las versiones anteriores a la versión 2.02 tienen una vulnerabilidad de denegación de servicio (DoS) a través del agotamiento de la memoria. Atacantes remotos no autenticados pueden enviar una solicitud POST HTTP al servidor con una cabecera 'Content-Length' excepcionalmente grande (p. ej., '2147483647'). El servidor asigna continuamente memoria para el cuerpo de la solicitud ('EntityBody') mientras transmite la carga útil sin imponer ningún límite máximo, lo que lleva a que toda la memoria disponible sea consumida y provoca la caída del servidor. Cualquiera que aloje servicios usando TinyWeb se ve afectado. La versión 2.02 corrige el problema. El parche introduce un límite 'CMaxEntityBodySize' (establecido en 10MB) para el tamaño máximo de las cargas útiles aceptadas. Como solución alternativa temporal si la actualización no es posible de inmediato, considere colocar el servidor detrás de un Cortafuegos de Aplicaciones Web (WAF) o un proxy inverso (como nginx o Cloudflare) configurado para limitar explícitamente el tamaño máximo permitido del cuerpo de la solicitud HTTP (p. ej., 'client_max_body_size' en nginx).

26 Feb 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-26 00:16

Updated : 2026-02-28 01:00

NVD link : CVE-2026-27633

Mitre link : CVE-2026-27633

CVE.ORG link : CVE-2026-27633

JSON object : View

Products Affected

ritlabs

tinyweb

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-770

Allocation of Resources Without Limits or Throttling

7.5 /10