Resource exhaustion in Maximmasiutin Tinyweb

CVE-2026-27633

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service (DoS) vulnerability via memory exhaustion. Unauthenticated remote attackers can send an HTTP POST request to the ser…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.001 (34.1th percentile) — read the EPSS interpretation.

Affected products

Maximmasiutin Tinyweb — versions < 2.02

Weakness classification (CWE)

CWE-400 — Uncontrolled Resource Consumption

References

https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-992w-gmcm-fmgr (x_refsource_CONFIRM)
https://github.com/maximmasiutin/TinyWeb/commit/1cb5a1d (x_refsource_MISC)
https://www.masiutin.net/tinyweb-cve-2026-27633.html (x_refsource_MISC)