RCE in Maximmasiutin Tinyweb

CVE-2026-27613

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter security controls. Depending on the server config…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.002 (36.1th percentile) — read the EPSS interpretation.

Affected products

Maximmasiutin Tinyweb — versions < 2.01

Weakness classification (CWE)

References

https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-rfx5-fh9m-9jj9 (x_refsource_CONFIRM)
https://github.com/maximmasiutin/TinyWeb/commit/d9dbda8db49da69d2160e1c527e782b73b5ffb6b (x_refsource_MISC)
https://github.com/maximmasiutin/TinyWeb/releases/tag/v2.01 (x_refsource_MISC)
https://www.masiutin.net/tinyweb-cve-2026-27613.html (x_refsource_MISC)