CVE-2026-28497

UNKNOWN 0.0

TinyWeb: Integer Overflow in `_Val` (HTTP Request Smuggling)

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine (_Val) allows an unauthenticated remote attacker to bypass Content-Length restrictions and perform HTTP Request Smuggling. This can lead to unauthorized access, security filter bypass, and potential cache poisoning. The impact is critical for servers using persistent connections (Keep-Alive). This issue has been patched in version 2.03.

CWE	CWE-190 CWE-444
Vendor	maximmasiutin
Product	tinyweb
Published	Mar 6, 2026
Last Updated	Mar 6, 2026

Stay Ahead of the Next One

Get instant alerts for maximmasiutin tinyweb

Be the first to know when new unknown vulnerabilities affecting maximmasiutin tinyweb are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

maximmasiutin / TinyWeb

< 2.03

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-rp8j-cx7r-mw9f github.com: https://github.com/maximmasiutin/TinyWeb/commit/d2edd0322c3d74beee0a6c0191299b8946695d4e