Integer overflow in Maximmasiutin Tinyweb

CVE-2026-28497

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine (_Val) allows an unauthenticated remote attacker to bypass Content-Leng…

Vulnerability class: Integer Overflow

EPSS: 0.002 (47.9th percentile) — read the EPSS interpretation.

Affected products

Maximmasiutin Tinyweb — versions < 2.03

Weakness classification (CWE)

References

https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-rp8j-cx7r-mw9f (x_refsource_CONFIRM)
https://github.com/maximmasiutin/TinyWeb/commit/d2edd0322c3d74beee0a6c0191299b8946695d4e (x_refsource_MISC)