CVE-2026-27630
TinyWeb vulnerable to Remote Denial of Service via Thread/Connection Exhaustion (Slowloris)
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thread for every incoming connection without enforcing a maximum concurrency limit or an appropriate request timeout. An unauthenticated remote attacker can exhaust server concurrency limits and memory by opening numerous connections and sending data exceptionally slowly (e.g. 1 byte every few minutes). Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxConnections` limit (set to 512) and a `CConnectionTimeoutSecs` idle timeout (set to 30 seconds). As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a robust reverse proxy or Web Application Firewall (WAF) such as nginx, HAProxy, or Cloudflare, configured to buffer incomplete requests and aggressively enforce connection limits and timeouts.
| CWE | CWE-400 |
| Vendor | maximmasiutin |
| Product | tinyweb |
| Published | Feb 25, 2026 |
| Last Updated | Feb 26, 2026 |
Get instant alerts for maximmasiutin tinyweb
Be the first to know when new unknown vulnerabilities affecting maximmasiutin tinyweb are published โ delivered to Slack, Telegram or Discord.