CVE-2026-29046 CRITICAL

CVE-2026-29046: TinyWeb: HTTP Header Control Character Injection into CGI Environment

Vendor Maximmasiutin
Product TinyWeb
Weakness CWE-114
Published March 6, 2026
Last update March 6, 2026

CVSS base score

9.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L

What the vulnerability does

01Description

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.

Key dates

02Disclosure timeline

March 6, 2026 CVE published
March 6, 2026 Record updated