CVE-2026-29046

moderate-risk

Published 2026-03-06

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.

Do I need to act?

0.24% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.2/10 High

NETWORK / LOW complexity

Affected Products (1)

Tinyweb

Affected Vendors

Ritlabs

References (2)

Patch https://github.com/maximmasiutin/TinyWeb/commit/53aa8b6e5146491d7be57920e3fc50d7...

Exploit https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-r3gf-pg2c-m7mc

/ 100

moderate-risk

Severity 28/34 · Critical

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal