RCE in Maximmasiutin Tinyweb

CVE-2026-22781

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line argume…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.006 (70.1th percentile) — read the EPSS interpretation.

Affected products

Maximmasiutin Tinyweb — versions < 1.98

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-m779-84h5-72q2 (x_refsource_CONFIRM)
https://github.com/maximmasiutin/TinyWeb/commit/876b7e2887f4ea5be3e18bb2af7313f23a283c96 (x_refsource_MISC)
https://www.masiutin.net/tinyweb-cve-2025-cgi-command-injection.html (x_refsource_MISC)