Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
TinyWeb Web Server: Remote Attackers Can Steal or Execute Code
CVE-2026-27613
Summary
If you're using an outdated version of TinyWeb, hackers can access sensitive information or execute code on your server without a password. This is a serious issue, especially if you're hosting PHP scripts. To stay safe, upgrade to the latest version of TinyWeb or take extra precautions by enabling a security setting and using a firewall to block suspicious URLs.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| ritlabs | tinyweb | <= 2.01 | – |
Original title
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter securit...
Original description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter security controls. Depending on the server configuration and the specific CGI executable in use, the impact is either source code disclosure or remote code execution (RCE). Anyone hosting CGI scripts (particularly interpreted languages like PHP) using vulnerable versions of TinyWeb is impacted. The problem has been patched in version 2.01. If upgrading is not immediately possible, ensure `STRICT_CGI_PARAMS` is enabled (it is defined by default in `define.inc`) and/or do not use CGI executables that natively accept dangerous command-line flags (such as `php-cgi.exe`). If hosting PHP, consider placing the server behind a Web Application Firewall (WAF) that explicitly blocks URL query string parameters that begin with a hyphen (`-`) or contain encoded double quotes (`%22`).
nvd CVSS3.1
9.8
nvd CVSS4.0
10.0
Vulnerability type
CWE-78
OS Command Injection
CWE-88
- https://github.com/maximmasiutin/TinyWeb/commit/d9dbda8db49da69d2160e1c527e782b7... Patch
- https://github.com/maximmasiutin/TinyWeb/releases/tag/v2.01 Release Notes
- https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-rfx5-fh9m-9jj9 Vendor Advisory
- https://www.masiutin.net/tinyweb-cve-2026-27613.html Third Party Advisory
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026