TinyWeb: Windows web server allows code smuggling

The lean web server TinyWeb for Windows, programmed in Delphi, contains a vulnerability that allows attackers from the network to inject and execute malicious code. An updated version closes the security gap.

In the vulnerability description now published, the authors write that CGI parameters are passed as command-line parameters to the CGI executable via Windows.CreateProcess(), apparently unfiltered. By inserting Windows shell metacharacters into HTTP requests, attackers from the network can execute arbitrary commands on the server's operating system without prior authentication (CVE-2026-22781, CVSS4 10.0, Risk “critical”).

A separate security advisory from TinyWeb programmer Maxim Masiutin goes into further detail. When processing HTTP requests to CGI scripts that do not contain an equals sign, TinyWeb considers them to be requests in “ISINDEX” format. In this case, the code passes the parameters as command-line parameters as described in the CVE entry. Masiutin names GET /cgi-bin/script.exe?arg1&calc.exe HTTP/1.1 as an example request. The “&” character is interpreted by the Windows command processor, launching calc.exe in this case. Other dangerous characters are therefore | < > ^ ( ) % ! “ ' ` ; $. Masiutin calculates the CVSS score according to CVSS standard 3.1 and arrives at the slightly deviating severity CVSS 9.8, which also reaches the risk rating “critical”.

TinyWeb update closes the security hole

To exploit the vulnerability, at least one CGI script must be present in the “cgi-bin” directory. TinyWeb 1.98 from November 2025 closes the vulnerability. Currently, the GitHub project contains version 1.99 of TinyWeb from last week. This also closes another vulnerability, a buffer overflow that leads to a denial of service (CVE-2024-34199, CVSS 8.6, Risk “high”).

(dmk)