TinyWeb CGI Parameter Injection
Security Advisory. Published: February 25, 2026. Fixed in TinyWeb v2.01 (February 21, 2026).
Summary
TinyWeb's CGI query parameter parsing contains vulnerabilities that allow an unauthenticated remote
attacker to bypass security mechanisms (STRICT_CGI_PARAMS and
EscapeShellParam). Depending on the server configuration and the CGI binary being used,
this can lead to Source Code Disclosure or Remote Code Execution (RCE) via Argument Injection.
Severity: Critical (CVSS 4.0 Base Score: 9.3)
Vulnerability Details
| CVE ID | CVE-2026-27613 |
|---|---|
| GHSA ID | GHSA-rfx5-fh9m-9jj9 |
| Vulnerability Type | Command Injection / Argument Injection (CWE-78, CWE-88) |
| Attack Type | Remote |
| Attack Vector | Network (unauthenticated HTTP request) |
| Vendor/Maintainer | Maxim Masiutin |
| Product | TinyWeb HTTP Server |
| Affected Versions | Versions before 2.01 |
| Fixed Version | 2.01 (February 25, 2026) |
| Impact | Source Code Disclosure, Remote Code Execution |
CVSS Score
| CVSS Version | Score | Severity | Vector String |
|---|---|---|---|
| CVSS 4.0 | 9.3 | Critical | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Technical Details
Root Cause
The vulnerability stems from two interconnected issues in SrvMain.pas:
- Insufficient Hyphen Validation: The
IsQueryParamSafewhitelist, while restricting most dangerous characters, does not restrict where the hyphen (-) character can appear. Specifically, it allows query parameters starting with a hyphen. - Incorrect Shell Escaping for Win32 Binaries: The
EscapeShellParamfunction escapes double quotes (") with a caret (^"). While effective forcmd.exe, this is not recognized by native Win32 binaries using MSVCRT'sCommandLineToArgvW(likephp-cgi.exe), allowing attackers to break out of argument quoting.
Exploitation Scenarios
1. Source Code Disclosure (Default Configuration)
With STRICT_CGI_PARAMS enabled (the default), attackers can send parameters starting
with a hyphen. If the CGI handler is php-cgi.exe, it treats ?-s as a
command-line flag to output syntax-highlighted source code, bypassing web server restrictions.
GET /cgi-bin/test.php?-s HTTP/1.1
2. Argument Injection / RCE
If STRICT_CGI_PARAMS is disabled, attackers can use URL-encoded double quotes and spaces
to inject arbitrary arguments into Win32 CGI executables. Against PHP-CGI, this allows passing
arbitrary PHP configuration flags, leading to Remote Code Execution.
GET /cgi-bin/php-cgi.exe?%22%20-d%20allow_url_include=1 HTTP/1.1
Fix Applied in Version 2.01
The problem has been patched in version 2.01. The patch includes two primary improvements:
- Upgraded
IsQueryParamSafewhitelist to explicitly reject any query parameters that begin with a hyphen (-) in accordance with RFC 3875 Section 4.4. - Updated
EscapeShellParamto correctly escape double quotes (") with\"instead of^", ensuring safe argument passing to MSVCRT-compiled native binaries.
Workarounds
- Ensure
STRICT_CGI_PARAMSis enabled (it is defined by default indefine.inc). - Disable or remove CGI executables that natively accept dangerous command-line flags (such as
php-cgi.exe). - Place the server behind a Web Application Firewall (WAF) or reverse proxy that blocks query
strings starting with a hyphen or containing encoded double quotes (
%22).
References
Timeline
| February 21, 2026 | Vulnerability identified by Maxim Masiutin |
|---|---|
| February 21, 2026 | Fix implemented and released in TinyWeb v2.01 |
| February 25, 2026 | Security advisor published (CVE-2026-27613 / GHSA-rfx5-fh9m-9jj9) |