Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.7

TinyWeb web server crashes with large HTTP requests

CVE-2026-27633
Summary

TinyWeb web servers older than version 2.02 are at risk of crashing if someone sends a big HTTP request. This can be fixed by updating to version 2.02 or by using a firewall or proxy to limit the size of incoming requests. If you can't update right now, consider setting up a firewall or proxy to prevent big requests from reaching your server.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
ritlabs tinyweb <= 2.02 –
Original title
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service (DoS) vulnerability via memory exhaustion. Unauthenticated remote attacker...
Original description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service (DoS) vulnerability via memory exhaustion. Unauthenticated remote attackers can send an HTTP POST request to the server with an exceptionally large `Content-Length` header (e.g., `2147483647`). The server continuously allocates memory for the request body (`EntityBody`) while streaming the payload without enforcing any maximum limit, leading to all available memory being consumed and causing the server to crash. Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxEntityBodySize` limit (set to 10MB) for the maximum size of accepted payloads. As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a Web Application Firewall (WAF) or reverse proxy (like nginx or Cloudflare) configured to explicitly limit the maximum allowed HTTP request body size (e.g., `client_max_body_size` in nginx).
nvd CVSS3.1 7.5
nvd CVSS4.0 8.7
Vulnerability type
CWE-400 Uncontrolled Resource Consumption
CWE-770 Allocation of Resources Without Limits
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026