Cyber Posture

CVE-2026-22781

Critical

Published: 12 January 2026

Published
12 January 2026
Modified
16 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0058 69.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI…

more

executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of unsanitized CGI ISINDEX-style query parameters before passing them to Windows CreateProcess(), directly preventing OS command injection via shell metacharacters.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and patching of the specific flaw fixed in TinyWeb version 1.98, eliminating the vulnerability.

SI-9 Information Input Restrictions good match
prevent

Enforces restrictions on HTTP query parameters to block Windows shell metacharacters, preventing their use in command-line arguments to CGI executables.

Security SummaryAI

TinyWeb HTTP Server, a lightweight web server supporting HTTP and HTTPS written in Delphi for Win32 platforms, is affected by CVE-2026-22781, an OS command injection vulnerability (CWE-78) in versions prior to 1.98. The flaw arises when CGI ISINDEX-style query parameters in HTTP requests are passed directly as command-line arguments to CGI executables via the Windows CreateProcess() API, without proper sanitization, allowing injection of malicious payloads.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no privileges required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By crafting HTTP requests containing Windows shell metacharacters in the query parameters, the attacker achieves arbitrary command execution on the server, potentially leading to full system compromise including high confidentiality, integrity, and availability impacts.

The vulnerability is addressed in TinyWeb version 1.98, where the commit at https://github.com/maximmasiutin/TinyWeb/commit/876b7e2887f4ea5be3e18bb2af7313f23a283c96 implements the fix. Additional details are available in the GitHub security advisory at https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-m779-84h5-72q2 and a technical analysis at https://www.masiutin.net/tinyweb-cve-2025-cgi-command-injection.html, recommending immediate upgrade to the patched version for mitigation.

Details

CWE(s)
CWE-78

Affected Products

ritlabs
tinyweb
≤ 1.98

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
attack.mitre.org →
Why these techniques?

CVE enables exploitation of public-facing web server (T1190) via unauthenticated remote command injection in CGI, directly facilitating arbitrary Windows command shell execution (T1059.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References