Unrated severityNVD Advisory· Published Mar 6, 2026· Updated Mar 6, 2026

TinyWeb: HTTP Header Control Character Injection into CGI Environment

CVE-2026-29046

Description

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.

Affected products

Maximmasiutin/Tinywebv5
Range: < 2.04

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/maximmasiutin/TinyWeb/commit/53aa8b6e5146491d7be57920e3fc50d7a34e4d5amitrex_refsource_MISC
github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-r3gf-pg2c-m7mcmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000