CRITICAL🇵🇱 Wersja polska

CVE-2026-27613

CVSS 10.0v4.0pub. 2026-02-25upd. 2026-03-04

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter security controls. Depending on the server configuration and the specific CGI executable in use, the impact is either source code disclosure or remote code execution (RCE). Anyone hosting CGI scripts (particularly interpreted languages like PHP) using vulnerable versions of TinyWeb is impacted. The problem has been patched in version 2.01. If upgrading is not immediately possible, ensure `STRICT_CGI_PARAMS` is enabled (it is defined by default in `define.inc`) and/or do not use CGI executables that natively accept dangerous command-line flags (such as `php-cgi.exe`). If hosting PHP, consider placing the server behind a Web Application Firewall (WAF) that explicitly blocks URL query string parameters that begin with a hyphen (`-`) or contain encoded double quotes (`%22`).

🤖 AI Analysis
How it works

The error classified as CWE-78 (OS command injection) and CWE-88 (argument injection) involves improper validation of parameters passed via URL to executable CGI files. An attacker can craft an HTTP request containing query string parameters starting with a dash (`-`) or containing encoded quotes (`%22`), which are then passed directly as command-line arguments to the CGI process. When using interpreters such as `php-cgi.exe`, such arguments can be interpreted as switches controlling program behavior, leading to arbitrary code execution or source file disclosure.

Impact

An unauthenticated remote attacker can execute arbitrary code on the server (RCE) or gain access to the source code of hosted scripts, which may lead to system takeover and data breach.

Mitigation & patch

Update TinyWeb to version 2.01, where the issue has been fixed. If immediate update is not possible: ensure that the `STRICT_CGI_PARAMS` option is enabled (defined by default in the `define.inc` file), avoid using CGI executable files that accept unsafe command-line flags (e.g., `php-cgi.exe`). When hosting PHP, it is recommended to place the server behind a Web Application Firewall (WAF) that blocks query string parameters starting with `-` or containing encoded quotes (`%22`).

Who is affected

Ritlabs TinyWeb in versions prior to 2.01 — affects anyone hosting CGI scripts (particularly in interpreted languages such as PHP) using vulnerable server versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Ritlabs Tinyweb

    APP
    Ritlabs
    < 2.01
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEFirewallCommand Injection
CWE
References

Related vulnerabilities

CVE-2026-28497CRITICAL9.3PL ✓ten sam produkt

Integer overflow w TinyWeb umożliwia HTTP Request Smuggling

CVE-2026-29046CRITICAL9.2PL ✓ten sam produkt

TinyWeb: nieprawidłowa walidacja nagłówków HTTP umożliwia header injection

CVE-2026-22781CRITICAL10.0PL ✓ten sam produkt

Command injection w TinyWeb HTTP Server via parametry CGI ISINDEX

CVE-2026-27630HIGH8.7ten sam produkt

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerab...

CVE-2026-27633HIGH8.7ten sam produkt

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denia...