Cyber Resilience

CVE-2026-27633

HighDDoS

Published: 26 February 2026

Published
26 February 2026
Modified
28 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 34.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27633 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Ritlabs Tinyweb. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-27633 is a Denial of Service (DoS) vulnerability via memory exhaustion in TinyWeb, a web server supporting HTTP and HTTPS written in Delphi for Win32 platforms. Versions prior to 2.02 are affected, as the server fails to enforce a maximum limit on HTTP request body sizes. When processing a POST request, it continuously allocates memory for the EntityBody while streaming the payload, allowing unchecked consumption of all available system memory.

Unauthenticated remote attackers can exploit this vulnerability by sending an HTTP POST request with an exceptionally large Content-Length header, such as 2147483647. This triggers unbounded memory allocation, leading to server crash and denial of service. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), with associated CWEs 400 (Uncontrolled Resource Consumption) and 770 (Allocation of Resources Without Limits or Throttling). Any service hosted on affected TinyWeb instances is at risk.

Version 2.02 patches the issue by introducing a CMaxEntityBodySize limit set to 10MB for maximum accepted payloads. If immediate upgrading is not feasible, a temporary workaround is to deploy the server behind a Web Application Firewall (WAF) or reverse proxy like nginx or Cloudflare, explicitly configured to restrict HTTP request body sizes (e.g., client_max_body_size in nginx). Details are provided in the GitHub commit at https://github.com/maximmasiutin/TinyWeb/commit/1cb5a1d, security advisory at https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-992w-gmcm-fmgr, and analysis at https://www.masiutin.net/tinyweb-cve-2026-27633.html.

EU & UK References

Vulnerability details

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service (DoS) vulnerability via memory exhaustion. Unauthenticated remote attackers can send an HTTP POST request to the server with…

more

an exceptionally large `Content-Length` header (e.g., `2147483647`). The server continuously allocates memory for the request body (`EntityBody`) while streaming the payload without enforcing any maximum limit, leading to all available memory being consumed and causing the server to crash. Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxEntityBodySize` limit (set to 10MB) for the maximum size of accepted payloads. As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a Web Application Firewall (WAF) or reverse proxy (like nginx or Cloudflare) configured to explicitly limit the maximum allowed HTTP request body size (e.g., `client_max_body_size` in nginx).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote unauthenticated exploitation of a public-facing web server (T1190) via a single crafted POST request that triggers application-level resource exhaustion and crash (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27630Same product: Ritlabs Tinyweb
CVE-2026-29046Same product: Ritlabs Tinyweb
CVE-2026-28497Same product: Ritlabs Tinyweb
CVE-2026-27613Same product: Ritlabs Tinyweb
CVE-2026-22781Same product: Ritlabs Tinyweb
CVE-2026-34829Shared CWE-400, CWE-770
CVE-2026-33176Shared CWE-400, CWE-770
CVE-2026-26018Shared CWE-400, CWE-770
CVE-2026-29181Shared CWE-770
CVE-2026-41309Shared CWE-400, CWE-770

Affected Assets

ritlabs
tinyweb
≤ 2.02

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-5 directly mandates denial-of-service protections, such as request body size limits, to prevent memory exhaustion from oversized HTTP POST Content-Length headers.

prevent

SC-6 requires safeguards for resource availability, including memory allocation limits, to block unbounded consumption during request body streaming.

prevent

SI-10 enforces validation of inputs like Content-Length against defined maximum sizes to reject excessively large payloads before memory allocation.

References