CRITICAL🇵🇱 Wersja polska

CVE-2026-22781

CVSS 10.0v4.0pub. 2026-01-12upd. 2026-01-16

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98.

🤖 AI Analysis
How it works

HTTP query parameters in ISINDEX style are passed directly as command-line arguments to the CGI executable file through the Windows CreateProcess() function. An attacker can inject special Windows shell metacharacters into the HTTP request, leading to execution of unintended operating system commands. The vulnerability does not require authentication or any user interaction.

Impact

An attacker can execute arbitrary commands on the server with TinyWeb process privileges, potentially gaining full control over the operating system and internal resources.

Mitigation & patch

TinyWeb should be updated to version 1.98, in which the vulnerability was fixed. The patch is available in the project repository on GitHub (commit 876b7e2).

Who is affected

Ritlabs TinyWeb HTTP Server versions prior to 1.98 (server running on Win32 platform)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Ritlabs Tinyweb

    APP
    Ritlabs
    < 1.98
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2026-28497CRITICAL9.3PL ✓ten sam produkt

Integer overflow w TinyWeb umożliwia HTTP Request Smuggling

CVE-2026-29046CRITICAL9.2PL ✓ten sam produkt

TinyWeb: nieprawidłowa walidacja nagłówków HTTP umożliwia header injection

CVE-2026-27613CRITICAL10.0PL ✓ten sam produkt

RCE lub ujawnienie kodu źródłowego w TinyWeb przez pominięcie kontroli parametrów CGI

CVE-2026-27630HIGH8.7ten sam produkt

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerab...

CVE-2026-27633HIGH8.7ten sam produkt

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denia...