Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.2
TinyWeb web server fails to handle malicious HTTP headers
CVE-2026-29046
Summary
TinyWeb web servers prior to version 2.04 may allow hackers to inject malicious data into server processes if they send specially crafted HTTP requests. This could potentially lead to security issues on the server. To fix this, upgrade to version 2.04 or later.
Original title
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The pars...
Original description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.
nvd CVSS4.0
9.2
Vulnerability type
CWE-20
Improper Input Validation
CWE-74
Injection
CWE-93
CWE-114
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026