CRITICALCVE-2026-29046Published 2026-03-06Modified 2026-03-06CNA GitHub_M

CVE-2026-29046: TinyWeb: HTTP Header Control Character Injection into CGI Environment

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.

CVSS v4.0: 9.2
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

maximmasiutin / TinyWeb
< 2.04

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L

References

https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-r3gf-pg2c-m7mc
https://github.com/maximmasiutin/TinyWeb/commit/53aa8b6e5146491d7be57920e3fc50d7a34e4d5a

Metrics