Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.7

TinyWeb web server versions 2.02 and earlier can be crashed by slow network traffic

CVE-2026-27630
Summary

If you're using an older version of TinyWeb, a malicious person can overwhelm the server with slow network traffic, causing it to run out of resources and become unavailable. This can be prevented by upgrading to version 2.02 or by using a protective service like a reverse proxy or web application firewall in front of the server. If upgrading is not possible, consider using such a protective service as a temporary fix.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
ritlabs tinyweb <= 2.02 –
Original title
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS t...
Original description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thread for every incoming connection without enforcing a maximum concurrency limit or an appropriate request timeout. An unauthenticated remote attacker can exhaust server concurrency limits and memory by opening numerous connections and sending data exceptionally slowly (e.g. 1 byte every few minutes). Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxConnections` limit (set to 512) and a `CConnectionTimeoutSecs` idle timeout (set to 30 seconds). As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a robust reverse proxy or Web Application Firewall (WAF) such as nginx, HAProxy, or Cloudflare, configured to buffer incomplete requests and aggressively enforce connection limits and timeouts.
nvd CVSS3.1 7.5
nvd CVSS4.0 8.7
Vulnerability type
CWE-400 Uncontrolled Resource Consumption
CWE-770 Allocation of Resources Without Limits
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026