CVE-2026-27613
Published: 25 February 2026
Description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter security controls. Depending on the server configuration and the specific…
more
CGI executable in use, the impact is either source code disclosure or remote code execution (RCE). Anyone hosting CGI scripts (particularly interpreted languages like PHP) using vulnerable versions of TinyWeb is impacted. The problem has been patched in version 2.01. If upgrading is not immediately possible, ensure `STRICT_CGI_PARAMS` is enabled (it is defined by default in `define.inc`) and/or do not use CGI executables that natively accept dangerous command-line flags (such as `php-cgi.exe`). If hosting PHP, consider placing the server behind a Web Application Firewall (WAF) that explicitly blocks URL query string parameters that begin with a hyphen (`-`) or contain encoded double quotes (`%22`).
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and correction of system flaws, directly mitigating this CVE by upgrading TinyWeb to version 2.01 where the CGI parameter bypass is patched.
SI-10 mandates information input validation at interfaces like CGI parameters, preventing OS command injection by neutralizing argument delimiters and dangerous flags as in CWE-78 and CWE-88.
CM-6 enforces secure configuration settings such as enabling STRICT_CGI_PARAMS in TinyWeb to strengthen CGI parameter security controls against bypass.
Security SummaryAI
CVE-2026-27613 is a vulnerability in TinyWeb, a web server supporting HTTP and HTTPS written in Delphi for Win32 platforms, affecting versions prior to 2.01. The flaw enables unauthenticated remote attackers to bypass the web server's CGI parameter security controls, stemming from issues classified under CWE-78 (OS Command Injection) and CWE-88 (Improper Neutralization of Argument Delimiters). It carries a CVSS v3.1 base score of 9.8 (Critical), reflecting network accessibility with low complexity and no privileges required.
Attackers can exploit this vulnerability remotely without authentication by crafting malicious requests that manipulate CGI parameters. Depending on the server configuration and the specific CGI executable deployed—particularly interpreted languages like PHP—the impact ranges from source code disclosure to remote code execution (RCE). Organizations hosting CGI scripts on vulnerable TinyWeb instances are at risk, with php-cgi.exe highlighted as especially susceptible due to its acceptance of dangerous command-line flags.
The vulnerability has been addressed in TinyWeb version 2.01, as detailed in the project's GitHub release and commit history. For those unable to upgrade immediately, mitigations include verifying that the STRICT_CGI_PARAMS directive is enabled (it is defined by default in define.inc), avoiding CGI executables that accept hazardous command-line flags, and for PHP deployments, positioning the server behind a Web Application Firewall (WAF) configured to block URL query string parameters starting with a hyphen (-) or containing encoded double quotes (%22). Additional guidance is available in the GitHub security advisory and related documentation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote exploitation of a public-facing web server via CGI parameter manipulation leading to OS command injection and RCE, directly mapping to T1190: Exploit Public-Facing Application.