CVE-2026-29046
TinyWeb: HTTP Header Control Character Injection into CGI Environment
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.
| CWE | CWE-114 CWE-20 CWE-74 CWE-93 |
| Vendor | maximmasiutin |
| Product | tinyweb |
| Published | Mar 6, 2026 |
| Last Updated | Mar 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for maximmasiutin tinyweb
Be the first to know when new unknown vulnerabilities affecting maximmasiutin tinyweb are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
maximmasiutin / TinyWeb
< 2.04