CVE-2026-27613

EPSS 0.15%
Veröffentlicht 25.02.2026 22:58:16
Zuletzt bearbeitet 04.03.2026 03:21:58
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter security controls. Depending on the server configuration and the specific CGI executable in use, the impact is either source code disclosure or remote code execution (RCE). Anyone hosting CGI scripts (particularly interpreted languages like PHP) using vulnerable versions of TinyWeb is impacted. The problem has been patched in version 2.01. If upgrading is not immediately possible, ensure `STRICT_CGI_PARAMS` is enabled (it is defined by default in `define.inc`) and/or do not use CGI executables that natively accept dangerous command-line flags (such as `php-cgi.exe`). If hosting PHP, consider placing the server behind a Web Application Firewall (WAF) that explicitly blocks URL query string parameters that begin with a hyphen (`-`) or contain encoded double quotes (`%22`).

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ritlabs ≫ Tinyweb Version < 2.01

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.354

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	10	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-rfx5-fh9m-9jj9

Vendor Advisory

https://github.com/maximmasiutin/TinyWeb/commit/d9dbda8db49da69d2160e1c527e782b73b5ffb6b

Patch

https://github.com/maximmasiutin/TinyWeb/releases/tag/v2.01

Release Notes

https://www.masiutin.net/tinyweb-cve-2026-27613.html

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-27613

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27613

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27613

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27613