CVE-2026-22781

Critical CVSS: 10.0

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98.

Vendor

Ritlabs

Product

Tinyweb

CWE

CWE-78

Yayın Tarihi

2026-01-12 19:16:03

Güncelleme

2026-01-16 18:44:23

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-78 Tinyweb CRITICAL Ritlabs 2026

Referanslar

https://github.com/maximmasiutin/TinyWeb/commit/876b7e2887f4ea5be3e18bb2af7313f23a283c96 https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-m779-84h5-72q2 https://www.masiutin.net/tinyweb-cve-2025-cgi-command-injection.html

Benzer Kayıtlar

Critical

CVE-2026-29046

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header…

Critical

CVE-2026-28497

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerabil…

High

CVE-2026-27633

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Servi…

High

CVE-2026-27630

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a De…

Critical

CVE-2026-27613

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unau…