Cyber Posture

CVE-2026-29046

HighPublic PoC

Published: 06 March 2026

Published
06 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0033 55.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in…

more

header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the improper input validation by requiring strict checking of HTTP headers for dangerous control characters and encoded forms before mapping to CGI environment variables.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation through patching TinyWeb to version 2.04, which fixes the header parser vulnerability.

SI-9 Information Input Restrictions good match
prevent

Enforces restrictions on information inputs from external interfaces like HTTP requests to block malformed headers with CRLF, NUL, or encoded variants entering the CGI context.

Security SummaryAI

CVE-2026-29046 affects TinyWeb, a lightweight web server supporting HTTP and HTTPS, implemented in Delphi for Win32 platforms. In versions prior to 2.04, the server's request parser fails to strictly reject dangerous control characters such as CR, LF, and NUL in HTTP header lines and values, including encoded variants like %0d, %0a, and %00. These headers are subsequently mapped into CGI environment variables prefixed with HTTP_ , enabling header value confusion across parser boundaries and the injection of unsafe data into the CGI execution context. The vulnerability is rated 8.2 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) and is associated with CWEs 20 (Improper Input Validation), 74 (Incorrect Conversion between Representations), 93 (Improper Neutralization of CRLF Sequences), and 114 (Process Control).

Remote attackers require no privileges or user interaction to exploit this issue over the network with low complexity. By crafting malicious HTTP requests with tainted headers containing control characters or their encodings, attackers can manipulate CGI environment variables, potentially leading to high integrity impacts such as arbitrary code execution, data tampering, or other injections within the CGI context, alongside limited availability disruption.

The vulnerability has been addressed in TinyWeb version 2.04. Security practitioners should upgrade to this patched release. Detailed patch information is available in the GitHub commit at https://github.com/maximmasiutin/TinyWeb/commit/53aa8b6e5146491d7be57920e3fc50d7a34e4d5a and the security advisory at https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-r3gf-pg2c-m7mc.

Details

CWE(s)
CWE-20CWE-74CWE-93CWE-114

Affected Products

ritlabs
tinyweb
≤ 2.04

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability in the public-facing TinyWeb HTTP/HTTPS server allows remote unauthenticated attackers to inject control characters and encoded variants into HTTP headers, which are mapped to CGI environment variables, enabling header confusion and injections leading to arbitrary code execution or data tampering in the CGI context.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References