Unrated severityOSV Advisory· Published Jan 12, 2026· Updated Jan 12, 2026

TinyWeb CGI Command Injection

CVE-2026-22781

Description

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98.

Affected products

Maximmasiutin/TinywebOSV
Range: v1.95, v1.96, v1.97

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/maximmasiutin/TinyWeb/commit/876b7e2887f4ea5be3e18bb2af7313f23a283c96mitrex_refsource_MISC
github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-m779-84h5-72q2mitrex_refsource_CONFIRM
www.masiutin.net/tinyweb-cve-2025-cgi-command-injection.htmlmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000