TinyWeb HTTP Server - MITRE CVE Advisories

Security Advisories for all TinyWeb CVEs. Last updated: 2026-02-25.

Summary

This document provides a centralized index of all security vulnerabilities in TinyWeb HTTP Server that have been assigned MITRE CVE identifiers. All identified vulnerabilities have been fixed in the current version of the server.

Status: ALL KNOWN VULNERABILITIES FIXED

CVE Summary Table

Sorted numerically descending

CVE ID	Fixed In	Type	Severity	Advisory
CVE-2026-27633	v2.02	Memory Exhaustion (CWE-400)	High (8.7)	Advisory
CVE-2026-27630	v2.02	Slowloris (CWE-400)	High (8.7)	Advisory
CVE-2026-27613	v2.01	CGI Param Injection (CWE-78, 88)	Critical (9.3)	Advisory
CVE-2026-22781	v1.98	Command Injection (CWE-78)	Critical (9.8)	Advisory
CVE-2024-34199	v1.99	Buffer Overflow (CWE-787)	High (8.6)	Advisory
CVE-2024-5193	v1.99	CRLF Injection (CWE-93)	Medium (5.0)	Advisory
CVE-2004-2636	v1.93	Path Traversal (CWE-22)	Medium (5.0)	Advisory
CVE-2003-1510	v1.93	Denial of Service (CWE-400)	High (7.8)	Advisory

CVE-2026-27633 (Fixed in v2.02) - Unbounded Content-Length Memory Exhaustion

Severity	8.7 High (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)
Description	TinyWeb fails to enforce a maximum limit on HTTP request body size before allocation. An unauthenticated remote attacker can send a request with a large Content-Length value, causing memory exhaustion.
Fix Details	Introduced `CMaxEntityBodySize` (default 10MB) to reject oversized payloads with HTTP 413.
Link	Detailed Advisory

CVE-2026-27630 (Fixed in v2.02) - Thread/Connection Exhaustion (Slowloris)

Severity	8.7 High (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)
Description	TinyWeb's one-thread-per-connection model without concurrency limits allows unauthenticated remote attackers to exhaust the server's thread limit or memory by sending data exceptionally slowly.
Fix Details	Introduced `CMaxConnections` (default 512) and `CConnectionTimeoutSecs` (default 30s) to limit resources.
Link	Detailed Advisory

CVE-2026-27613 (Fixed in v2.01) - CGI Parameter Injection

Severity	9.3 Critical (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
Description	Insufficient validation of hyphens and incorrect shell escaping for Win32 binaries allow attackers to bypass STRICT_CGI_PARAMS and EscapeShellParam, leading to Source Code Disclosure or RCE.
Fix Details	Rejected query parameters starting with hyphens and updated escaping to use `\"` instead of `^"`.
Link	Detailed Advisory

CVE-2026-22781 (Fixed in v1.98) - CGI Command Injection

Severity	9.8 Critical (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
Description	Unsanitized ISINDEX-style query parameters passed to `CreateProcess()` allowed unauthenticated remote attackers to execute arbitrary OS commands via Windows shell metacharacters.
Fix Details	Implemented `IsQueryParamSafe` whitelist and `EscapeShellParam` function to sanitize input.
Link	Detailed Advisory

CVE-2024-34199 (Fixed in v1.99) - Buffer Overflow / Denial of Service

Severity	8.6 High (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)
Description	Unbounded heap growth in `TCollector.Collect()` when parsing HTTP request lines allowed unauthenticated remote attackers to crash the server by sending oversized request lines.
Fix Details	Implemented `CMaxHeaderLineLength` (8KB) and `CMaxTotalHeaderSize` (64KB) limits.
Link	Detailed Advisory

CVE-2024-5193 (Fixed in v1.99) - CRLF Injection

Severity	5.0 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Description	URL-encoded CRLF sequences in request paths were decoded and included directly in `Location` redirect headers, allowing HTTP header injection and response splitting.
Fix Details	Implemented `StripCRLF()` to sanitize all strings before usage in HTTP response headers.
Link	Detailed Advisory

CVE-2004-2636 (Fixed in v1.93) - Path Traversal / Source Code Disclosure

Severity	5.0 Medium (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Description	The `/./` path component bypassed the CGI script detection logic, causing the server to return the raw source code of CGI scripts instead of executing them.
Fix Details	Blocked `\.\` patterns and implemented `ExpandFileName()` suffix verification and component validation.
Link	Detailed Advisory

CVE-2003-1510 (Fixed in v1.93) - Denial of Service (Null Byte)

Severity	7.8 High (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Description	A null byte (`%00`) in a `cgi-bin` request path caused the server to enter a CPU-intensive loop trying to resolve the malformed path.
Fix Details	Modified `WebServerHttpResponse()` to immediately reject any request path containing a null byte (`#0`).
Link	Detailed Advisory

GitHub Security Advisories (GHSA)

GHSA-rfx5-fh9m-9jj9	CVE-2026-27613 - CGI Parameter Injection. GitHub Advisory
GHSA-m779-84h5-72q2	CVE-2026-22781 - Command Injection. GitHub Advisory
GHSA-v8p2-9h7p-2cq5	CVE-2024-34199 - Buffer Overflow. GitHub Advisory
GHSA-34v3-m9j8-58mv	CVE-2024-5193 - CRLF Injection. GitHub Advisory
GHSA-9h8w-cfwf-3pp2	CVE-2004-2636 - Path Traversal. GitHub Advisory
GHSA-4rx7-2jvr-7x5w	CVE-2003-1510 - Denial of Service. GitHub Advisory

Timeline

2026-02-25	TinyWeb v2.02 released fixing CVE-2026-27633 and CVE-2026-27630.
2026-02-22	DoS vulnerabilities (Slowloris/Content-Length) identified.
2026-02-25	TinyWeb v2.01 released fixing CVE-2026-27613 (CGI Param Injection).
2025-11-23	TinyWeb v1.98 released fixing CVE-2026-22781 (Command Injection).
2026-01-05	TinyWeb v1.99 released fixing CVE-2024-34199 and CVE-2024-5193.
2004-06-03	TinyWeb v1.93 released fixing CVE-2004-2636 and CVE-2003-1510.