CVE-2026-22781
CRITICALTinyWeb < 1.98 - Unauthenticated OS Command Injection via CGI ISINDEX Query Parameters
Title source: llmDescription
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-m779-84h5-72q2
Patch x_refsource_misc
https://github.com/maximmasiutin/TinyWeb/commit/876b7e2887f4ea5be3e18bb2af7313f23a283c96
Third Party Advisory x_refsource_misc
https://www.masiutin.net/tinyweb-cve-2025-cgi-command-injection.html
Scores
CVSS v3
9.8
EPSS
0.0217
EPSS Percentile
80.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
ritlabs/tinyweb
< 1.98
Published
Jan 12, 2026
Tracked Since
Feb 18, 2026