CVE-2026-29046

HIGH

TinyWeb < 2.04 - CGI Environment Variable Injection via Header Parsing

Title source: llm

Description

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-r3gf-pg2c-m7mc

Patch x_refsource_misc

https://github.com/maximmasiutin/TinyWeb/commit/53aa8b6e5146491d7be57920e3fc50d7a34e4d5a

View Patch ZIP pw:eip

Scores

CVSS v3 8.2

EPSS 0.0039

EPSS Percentile 30.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-20 CWE-93 CWE-114 CWE-74

Status published

Products (2)

maximmasiutin/TinyWeb < 2.04

ritlabs/tinyweb < 2.04

Published Mar 06, 2026

Tracked Since Mar 06, 2026