TinyWeb CGI Command Injection
Security Advisory. Published: 2025-12-27. Fixed in TinyWeb v1.98 (November 23, 2025).
Summary
TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests.
Severity: Critical (CVSS 4.0 Base Score: 9.8)
Vulnerability Details
| CVE ID | CVE-2026-22781 |
|---|---|
| Vulnerability Type | OS Command Injection (CWE-78) |
| Attack Type | Remote |
| Attack Vector | Network (unauthenticated HTTP request) |
| Vendor | Maxim Masiutin |
| Product | TinyWeb HTTP Server |
| Affected Versions | All versions before 1.98 (0.5 through 1.97) |
| Fixed Version | 1.98 (November 23, 2025) |
| Affected Component | CGI ISINDEX query handler, ExecuteScript function |
| Impact | Code Execution, Information Disclosure, Denial of Service, Privilege Escalation |
CVSS 4.0 Score
| Base Score | 9.8 Critical |
|---|---|
| Vector String | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Attack Requirements (AT) | None |
| Privileges Required (PR) | None |
| User Interaction (UI) | None |
| Vulnerable System CIA (VC/VI/VA) | High / High / High |
| Subsequent System CIA (SC/SI/SA) | High / High / High |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) |
Technical Details
Root Cause
When processing HTTP requests to CGI scripts with query strings that do not contain an equals sign
(=), TinyWeb treats the query as ISINDEX-style input per RFC 3875 Section 4.4. The
query parameters are passed as command-line arguments to the CGI executable via Windows
CreateProcess().
Prior to version 1.98, these query parameters were appended directly to the command line without sanitization, allowing injection of Windows shell metacharacters.
Affected Code Path
THTTPServerThread.Executeparses HTTP request- Query string without
=triggers ISINDEX mode ExecuteScript()appends query to command lineCreateProcess()executes with unsanitized input
Attack Vector
An attacker sends an HTTP request with shell metacharacters in the query string:
GET /cgi-bin/script.exe?arg1&calc.exe HTTP/1.1 Host: target.example.com
The & character is interpreted by the Windows command processor, causing
calc.exe (or any other command) to execute. Other dangerous characters include:
| < > ^ ( ) % ! " ' ` ; $
Exploitation Requirements
- TinyWeb version before 1.98
- At least one CGI script present in
cgi-bindirectory - Network access to the TinyWeb server
Fix Applied in Version 1.98
Version 1.98 implements two-layer defense-in-depth in SrvMain.pas (lines 799-862):
1. Whitelist Validation (Optional)
Function IsQueryParamSafe() validates that query parameters contain only safe
characters: [A-Za-z0-9._-/\:]. Parameters with other characters are rejected with HTTP
400 Bad Request. Controlled by STRICT_CGI_PARAMS define (enabled by default).
2. Apache-style Escaping (Always Active)
Function EscapeShellParam() escapes Windows shell metacharacters with caret
(^) and wraps parameters in quotes. This provides protection even when whitelist
validation is disabled.
References
Mitigation
Recommended: Upgrade to TinyWeb version 1.98 or later.
Workaround: If upgrade is not possible, remove or disable all CGI scripts from the
cgi-bin directory. Alternatively, place TinyWeb behind a reverse proxy that sanitizes
query strings.
Timeline
| November 23, 2025 | Vulnerability discovered and fixed in TinyWeb v1.98 |
|---|---|
| November 23, 2025 | Version 1.98 released with fix by Maxim Masiutin |
| December 27, 2025 | CVE requested from MITRE and published |
| January 2026 | CVE-2026-22781 assigned |
Credit
Discovered by Maxim Masiutin (maintainer).
Other TinyWeb CVEs Fixed
| CVE-2024-5193 | CRLF Injection (CWE-93) - Fixed in v1.99. CVSS 5.0 Medium. Advisory |
|---|---|
| CVE-2024-34199 | Buffer Overflow (CWE-787) - Fixed in v1.99. CVSS 8.6 High. Advisory |
| CVE-2004-2636 | Path Traversal (CWE-22) - Fixed in v1.93. CVSS 5.0 Medium. Advisory |
| CVE-2003-1510 | Denial of Service (CWE-400) - Fixed in v1.93. CVSS 7.8 High. Advisory |