CVE-2026-12200

Vulnerability

The vulnerability resides in the Header Handler component of TinyWeb Server up to version 1.94 on Win32. An overflow occurs when processing the Authorization header within the libeay32.dll library. The manipulation of the Authorization argument leads to a stack-based buffer overflow. The affected versions are up to and including 1.94.

Exploitation

An attacker can trigger this vulnerability remotely without authentication. The attack works by sending a crafted Authorization header containing a base64-encoded payload. Due to base64 encoding, each character maps to a hex value between 0x00 and 0x3F, limiting byte values. The maximum payload size is 692 bytes, with the EIP offset at 268 bytes [1]. The target system must have no stack protections, ASLR, or DEP enabled for reliable exploitation, but the exploit has been demonstrated with 100% reliability on current Windows systems using common DLL sources [1].

Impact

Successful exploitation allows arbitrary code execution with the privileges of the TinyWeb Server process. The attacker gains full control of the application, which could lead to system compromise, including data exfiltration or further lateral movement.

Mitigation

The vendor (Ritlabs) was contacted but did not respond, so no official patch exists as of the publication date. Users should consider migrating to an alternative web server or restrict network access to TinyWeb Server via firewall rules. The exploit is publicly known and may be actively used [1].