Cyber Resilience

CVE-2026-28497

CriticalPublic PoC

Published: 06 March 2026

Published
06 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0047 36.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28497 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Ritlabs Tinyweb. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28497 is an integer overflow vulnerability (CWE-190) in the string-to-integer conversion routine named _Val within TinyWeb, a lightweight HTTP and HTTPS web server written in Delphi for Win32 platforms. Affecting versions prior to 2.03, the flaw enables attackers to bypass Content-Length restrictions, facilitating HTTP Request Smuggling (CWE-444). This issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), highlighting its critical severity due to network accessibility and lack of prerequisites.

An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted HTTP requests that trigger the integer overflow during Content-Length parsing. Successful exploitation allows bypassing security filters, unauthorized access to resources, and cache poisoning attacks, with heightened impact on servers configured for persistent connections via Keep-Alive.

The vulnerability has been addressed in TinyWeb version 2.03. Security practitioners should upgrade to this patched release, as detailed in the GitHub security advisory (GHSA-rp8j-cx7r-mw9f) and the specific commit (d2edd0322c3d74beee0a6c0191299b8946695d4e) that fixes the _Val routine.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine (_Val) allows an unauthenticated remote attacker to bypass Content-Length restrictions and perform HTTP Request Smuggling.…

more

This can lead to unauthorized access, security filter bypass, and potential cache poisoning. The impact is critical for servers using persistent connections (Keep-Alive). This issue has been patched in version 2.03.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an integer overflow in a public-facing HTTP/HTTPS web server (TinyWeb) that enables HTTP Request Smuggling via crafted requests, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29046Same product: Ritlabs Tinyweb
CVE-2026-27613Same product: Ritlabs Tinyweb
CVE-2026-22781Same product: Ritlabs Tinyweb
CVE-2026-27633Same product: Ritlabs Tinyweb
CVE-2026-27630Same product: Ritlabs Tinyweb
CVE-2025-30404Shared CWE-190
CVE-2025-27918Shared CWE-190
CVE-2026-28368Shared CWE-444
CVE-2024-11347Shared CWE-190
CVE-2024-40765Shared CWE-190

Affected Assets

ritlabs
tinyweb
≤ 2.03

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification, reporting, and correction of flaws like the integer overflow in TinyWeb's _Val routine via patching to version 2.03.

prevent

Mandates validation of HTTP inputs such as Content-Length headers to prevent integer overflows during string-to-integer conversion.

preventdetect

Enforces boundary protections like web application firewalls to monitor and block malformed HTTP requests enabling request smuggling.

References