CVE-2026-27613 is an OS command injection vulnerability identified in TinyWeb, a lightweight web server written in Delphi for Win32 platforms. This vulnerability affects all versions prior to 2.01 and arises from improper neutralization of special elements used in OS commands (CWE-78) combined with insufficient CGI parameter validation (CWE-88). Specifically, unauthenticated remote attackers can bypass the web server's CGI parameter security controls, allowing them to inject malicious commands through crafted HTTP requests. The impact varies based on the server's CGI configuration: it can lead to disclosure of source code or full remote code execution (RCE). Servers hosting CGI scripts, particularly those running interpreted languages like PHP via executables such as php-cgi.exe, are at heightened risk because these executables accept command-line flags that can be exploited. The vulnerability is exploitable over the network without authentication or user interaction, making it highly dangerous. The vendor has released version 2.01 to patch this issue. In the interim, enabling the STRICT_CGI_PARAMS directive (enabled by default in define.inc) can help restrict dangerous parameters. Additionally, administrators are advised to avoid using CGI executables that accept risky command-line flags and to deploy Web Application Firewalls (WAFs) configured to block query parameters starting with hyphens or containing encoded double quotes (%22), which are commonly used in exploitation attempts.

The vulnerability poses a severe risk to organizations worldwide running vulnerable versions of TinyWeb, especially those hosting CGI scripts with interpreted languages like PHP. Successful exploitation can lead to unauthorized disclosure of sensitive source code, exposing intellectual property and potentially revealing further vulnerabilities. More critically, it can enable remote code execution, allowing attackers to execute arbitrary commands on the server with the privileges of the web server process. This can lead to full system compromise, data theft, service disruption, or use of the server as a pivot point for lateral movement within an organization’s network. Given the vulnerability requires no authentication or user interaction and is exploitable remotely, the attack surface is broad. Organizations relying on TinyWeb in production environments, particularly in sectors where web servers host critical applications or sensitive data, face significant operational and reputational risks. The critical CVSS score of 10 underscores the urgency of remediation.

1. Upgrade TinyWeb to version 2.01 or later immediately to apply the official patch addressing this vulnerability. 2. If immediate upgrade is not feasible, ensure the STRICT_CGI_PARAMS directive is enabled in the server configuration (it is enabled by default in define.inc) to enforce stricter validation of CGI parameters. 3. Avoid using CGI executables that accept dangerous command-line flags, such as php-cgi.exe, or replace them with safer alternatives that do not expose such attack vectors. 4. Deploy a Web Application Firewall (WAF) in front of the TinyWeb server configured to block URL query string parameters that begin with a hyphen (-) or contain encoded double quotes (%22), as these are commonly used in exploitation attempts. 5. Conduct thorough auditing and monitoring of web server logs for suspicious CGI parameter usage or unusual command-line flags. 6. Restrict permissions of the web server process to the minimum necessary to limit potential damage from exploitation. 7. Regularly review and update server configurations and security policies to incorporate emerging threat intelligence related to CGI and web server vulnerabilities.