CVE-2026-28497

CriticalPublic PoC

Published: 06 March 2026

Published

06 March 2026

Modified

16 March 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0023 46.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine (_Val) allows an unauthenticated remote attacker to bypass Content-Length restrictions and perform HTTP Request Smuggling.…

This can lead to unauthorized access, security filter bypass, and potential cache poisoning. The impact is critical for servers using persistent connections (Keep-Alive). This issue has been patched in version 2.03.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of flaws like the integer overflow in TinyWeb's _Val routine via patching to version 2.03.

SI-10 Information Input Validation good match

prevent

Mandates validation of HTTP inputs such as Content-Length headers to prevent integer overflows during string-to-integer conversion.

SC-7 Boundary Protection partial match

preventdetect

Enforces boundary protections like web application firewalls to monitor and block malformed HTTP requests enabling request smuggling.

Security SummaryAI

CVE-2026-28497 is an integer overflow vulnerability (CWE-190) in the string-to-integer conversion routine named _Val within TinyWeb, a lightweight HTTP and HTTPS web server written in Delphi for Win32 platforms. Affecting versions prior to 2.03, the flaw enables attackers to bypass Content-Length restrictions, facilitating HTTP Request Smuggling (CWE-444). This issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), highlighting its critical severity due to network accessibility and lack of prerequisites.

An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted HTTP requests that trigger the integer overflow during Content-Length parsing. Successful exploitation allows bypassing security filters, unauthorized access to resources, and cache poisoning attacks, with heightened impact on servers configured for persistent connections via Keep-Alive.

The vulnerability has been addressed in TinyWeb version 2.03. Security practitioners should upgrade to this patched release, as detailed in the GitHub security advisory (GHSA-rp8j-cx7r-mw9f) and the specific commit (d2edd0322c3d74beee0a6c0191299b8946695d4e) that fixes the _Val routine.

Details

CWE(s): CWE-190 CWE-444

Affected Products

ritlabs

tinyweb

≤ 2.03

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an integer overflow in a public-facing HTTP/HTTPS web server (TinyWeb) that enables HTTP Request Smuggling via crafted requests, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/maximmasiutin/TinyWeb/commit/d2edd0322c3d74beee0a6c0191299b8946695d4e
Patch · security-advisories@github.com
https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-rp8j-cx7r-mw9f
Exploit, Vendor Advisory · security-advisories@github.com