CVE-2026-29046
CVE-2026-29046
9.2
CriticalPublished:
Last updated:
Source:security-advisories@github.com
Analyzed
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- None
- User Interaction
- None
- Confidentiality (Vulnerable)
- None
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- Low
- Confidentiality (Subsequent)
- None
- Integrity (Subsequent)
- High
- Availability (Subsequent)
- Low
Description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.
References
security-advisories@github.com
https://github.com/maximmasiutin/TinyWeb/commit/53aa8b6e5146491d7be57920e3fc50d7a34e4d5asecurity-advisories@github.com
https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-r3gf-pg2c-m7mc