CVE-2026-22781
Published: 12 January 2026
Summary
CVE-2026-22781 is a critical-severity OS Command Injection (CWE-78) vulnerability in Ritlabs Tinyweb. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of unsanitized CGI ISINDEX-style query parameters before passing them to Windows CreateProcess(), directly preventing OS command injection via shell metacharacters.
Mandates timely identification, reporting, and patching of the specific flaw fixed in TinyWeb version 1.98, eliminating the vulnerability.
Enforces restrictions on HTTP query parameters to block Windows shell metacharacters, preventing their use in command-line arguments to CGI executables.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing web server (T1190) via unauthenticated remote command injection in CGI, directly facilitating arbitrary Windows command shell execution (T1059.003).
NVD Description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI…
more
executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98.
Deeper analysisAI
TinyWeb HTTP Server, a lightweight web server supporting HTTP and HTTPS written in Delphi for Win32 platforms, is affected by CVE-2026-22781, an OS command injection vulnerability (CWE-78) in versions prior to 1.98. The flaw arises when CGI ISINDEX-style query parameters in HTTP requests are passed directly as command-line arguments to CGI executables via the Windows CreateProcess() API, without proper sanitization, allowing injection of malicious payloads.
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no privileges required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By crafting HTTP requests containing Windows shell metacharacters in the query parameters, the attacker achieves arbitrary command execution on the server, potentially leading to full system compromise including high confidentiality, integrity, and availability impacts.
The vulnerability is addressed in TinyWeb version 1.98, where the commit at https://github.com/maximmasiutin/TinyWeb/commit/876b7e2887f4ea5be3e18bb2af7313f23a283c96 implements the fix. Additional details are available in the GitHub security advisory at https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-m779-84h5-72q2 and a technical analysis at https://www.masiutin.net/tinyweb-cve-2025-cgi-command-injection.html, recommending immediate upgrade to the patched version for mitigation.
Details
- CWE(s)