VYPR

Tinyweb

by Rit Research Labs

Source repositories

CVEs (7)

  • CVE-2004-2636Dec 31, 2004
    risk 0.03cvss epss 0.03

    TinyWeb 1.9 allows remote attackers to read source code of scripts via "/./" in the URL.

  • CVE-2026-29046Mar 6, 2026
    risk 0.00cvss epss 0.00

    TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header…

  • CVE-2026-28497Mar 6, 2026
    risk 0.00cvss epss 0.00

    TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine (_Val) allows an unauthenticated remote attacker to bypass Content-Length restrictions and perform HTTP Request…

  • CVE-2026-27633Feb 25, 2026
    risk 0.00cvss epss 0.00

    TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service (DoS) vulnerability via memory exhaustion. Unauthenticated remote attackers can send an HTTP POST request to the server with an exceptionally large…

  • CVE-2026-27630Feb 25, 2026
    risk 0.00cvss epss 0.00

    TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thread for every incoming connection without enforcing a maximum concurrency limit…

  • CVE-2026-27613Feb 25, 2026
    risk 0.00cvss epss 0.01

    TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter security controls. Depending on the server configuration and the specific CGI executable…

  • CVE-2003-1510Dec 31, 2003
    risk 0.00cvss epss 0.02

    TinyWeb 1.9 allows remote attackers to cause a denial of service (CPU consumption) via a ".%00." in an HTTP GET request to the cgi-bin directory.