CVE-2026-28497

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine (_Val) allows an unauthenticated remote attacker to bypass Content-Length restrictions and perform HTTP Request Smuggling. This can lead to unauthorized access, security filter bypass, and potential cache poisoning. The impact is critical for servers using persistent connections (Keep-Alive). This issue has been patched in version 2.03.

CVSS

No CVSS.

References

Link	Resource
https://github.com/maximmasiutin/TinyWeb/commit/d2edd0322c3d74beee0a6c0191299b8946695d4e
https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-rp8j-cx7r-mw9f

Configurations

No configuration.

History

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) TinyWeb es un servidor web (HTTP, HTTPS) escrito en Delphi para Win32. Antes de la versión 2.03, una vulnerabilidad de desbordamiento de entero en la rutina de conversión de cadena a entero (_Val) permite a un atacante remoto no autenticado eludir las restricciones de Content-Length y realizar HTTP Request Smuggling. Esto puede conducir a acceso no autorizado, elusión de filtros de seguridad y potencial envenenamiento de caché. El impacto es crítico para servidores que utilizan conexiones persistentes (Keep-Alive). Este problema ha sido parcheado en la versión 2.03.

06 Mar 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 04:16

Updated : 2026-03-09 13:36

NVD link : CVE-2026-28497

Mitre link : CVE-2026-28497

CVE.ORG link : CVE-2026-28497

JSON object : View

Products Affected

No product.

CWE

CWE-190

Integer Overflow or Wraparound

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

{"id": "CVE-2026-28497", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-06T04:16:07.990", "references": [{"url": "https://github.com/maximmasiutin/TinyWeb/commit/d2edd0322c3d74beee0a6c0191299b8946695d4e", "source": "security-advisories@github.com"}, {"url": "https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-rp8j-cx7r-mw9f", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-444"}]}], "descriptions": [{"lang": "en", "value": "TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine (_Val) allows an unauthenticated remote attacker to bypass Content-Length restrictions and perform HTTP Request Smuggling. This can lead to unauthorized access, security filter bypass, and potential cache poisoning. The impact is critical for servers using persistent connections (Keep-Alive). This issue has been patched in version 2.03."}, {"lang": "es", "value": "TinyWeb es un servidor web (HTTP, HTTPS) escrito en Delphi para Win32. Antes de la versi\u00f3n 2.03, una vulnerabilidad de desbordamiento de entero en la rutina de conversi\u00f3n de cadena a entero (_Val) permite a un atacante remoto no autenticado eludir las restricciones de Content-Length y realizar HTTP Request Smuggling. Esto puede conducir a acceso no autorizado, elusi\u00f3n de filtros de seguridad y potencial envenenamiento de cach\u00e9. El impacto es cr\u00edtico para servidores que utilizan conexiones persistentes (Keep-Alive). Este problema ha sido parcheado en la versi\u00f3n 2.03."}], "lastModified": "2026-03-09T13:36:08.413", "sourceIdentifier": "security-advisories@github.com"}