CVE-2026-28497

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine (_Val) allows an unauthenticated remote attacker to bypass Content-Length restrictions and perform HTTP Request Smuggling. This can lead to unauthorized access, security filter bypass, and potential cache poisoning. The impact is critical for servers using persistent connections (Keep-Alive). This issue has been patched in version 2.03.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/maximmasiutin/TinyWeb/commit/d2edd0322c3d74beee0a6c0191299b8946695d4e	Patch
https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-rp8j-cx7r-mw9f	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ritlabs:tinyweb:*:*:*:*:*:*:*:*

History

16 Mar 2026, 15:37

Type	Values Removed	Values Added
References	~~() https://github.com/maximmasiutin/TinyWeb/commit/d2edd0322c3d74beee0a6c0191299b8946695d4e -~~	() https://github.com/maximmasiutin/TinyWeb/commit/d2edd0322c3d74beee0a6c0191299b8946695d4e - Patch
References	~~() https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-rp8j-cx7r-mw9f -~~	() https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-rp8j-cx7r-mw9f - Exploit, Vendor Advisory
CPE		cpe:2.3:a:ritlabs:tinyweb::::::::
First Time		Ritlabs tinyweb Ritlabs
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) TinyWeb es un servidor web (HTTP, HTTPS) escrito en Delphi para Win32. Antes de la versión 2.03, una vulnerabilidad de desbordamiento de entero en la rutina de conversión de cadena a entero (_Val) permite a un atacante remoto no autenticado eludir las restricciones de Content-Length y realizar HTTP Request Smuggling. Esto puede conducir a acceso no autorizado, elusión de filtros de seguridad y potencial envenenamiento de caché. El impacto es crítico para servidores que utilizan conexiones persistentes (Keep-Alive). Este problema ha sido parcheado en la versión 2.03.

06 Mar 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 04:16

Updated : 2026-03-16 15:37

NVD link : CVE-2026-28497

Mitre link : CVE-2026-28497

CVE.ORG link : CVE-2026-28497

JSON object : View

Products Affected

ritlabs

tinyweb

CWE

CWE-190

Integer Overflow or Wraparound

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

9.1 /10