CVE-2026-29046
Published: 06 March 2026
Summary
CVE-2026-29046 is a high-severity Improper Input Validation (CWE-20) vulnerability in Ritlabs Tinyweb. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper input validation by requiring strict checking of HTTP headers for dangerous control characters and encoded forms before mapping to CGI environment variables.
Mandates timely flaw remediation through patching TinyWeb to version 2.04, which fixes the header parser vulnerability.
Enforces restrictions on information inputs from external interfaces like HTTP requests to block malformed headers with CRLF, NUL, or encoded variants entering the CGI context.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the public-facing TinyWeb HTTP/HTTPS server allows remote unauthenticated attackers to inject control characters and encoded variants into HTTP headers, which are mapped to CGI environment variables, enabling header confusion and injections leading to arbitrary code execution or data tampering in the CGI context.
NVD Description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in…
more
header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.
Deeper analysisAI
CVE-2026-29046 affects TinyWeb, a lightweight web server supporting HTTP and HTTPS, implemented in Delphi for Win32 platforms. In versions prior to 2.04, the server's request parser fails to strictly reject dangerous control characters such as CR, LF, and NUL in HTTP header lines and values, including encoded variants like %0d, %0a, and %00. These headers are subsequently mapped into CGI environment variables prefixed with HTTP_ , enabling header value confusion across parser boundaries and the injection of unsafe data into the CGI execution context. The vulnerability is rated 8.2 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) and is associated with CWEs 20 (Improper Input Validation), 74 (Incorrect Conversion between Representations), 93 (Improper Neutralization of CRLF Sequences), and 114 (Process Control).
Remote attackers require no privileges or user interaction to exploit this issue over the network with low complexity. By crafting malicious HTTP requests with tainted headers containing control characters or their encodings, attackers can manipulate CGI environment variables, potentially leading to high integrity impacts such as arbitrary code execution, data tampering, or other injections within the CGI context, alongside limited availability disruption.
The vulnerability has been addressed in TinyWeb version 2.04. Security practitioners should upgrade to this patched release. Detailed patch information is available in the GitHub commit at https://github.com/maximmasiutin/TinyWeb/commit/53aa8b6e5146491d7be57920e3fc50d7a34e4d5a and the security advisory at https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-r3gf-pg2c-m7mc.
Details
- CWE(s)