CVE-2026-28497 is an integer overflow vulnerability categorized under CWE-190 and CWE-444, found in TinyWeb, a lightweight HTTP/HTTPS server written in Delphi for Win32 platforms. The vulnerability arises from improper handling in the string-to-integer conversion function (_Val), which processes the Content-Length header. When an attacker sends a specially crafted HTTP request with manipulated Content-Length values, the integer overflow causes the server to misinterpret the length of the HTTP body. This misinterpretation enables HTTP Request Smuggling, a technique where attackers send ambiguous or overlapping HTTP requests that bypass security controls, such as firewalls and intrusion detection systems. The consequence is that attackers can gain unauthorized access to protected resources, bypass security filters, and poison caches, potentially affecting downstream users or services. The issue is particularly severe on servers using persistent connections (Keep-Alive), as the request smuggling can manipulate connection reuse and request boundaries. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely. The vendor has addressed this vulnerability in TinyWeb version 2.03 by correcting the integer handling logic to prevent overflow and enforce proper Content-Length validation.

The impact of CVE-2026-28497 is critical for organizations running vulnerable versions of TinyWeb, especially those relying on persistent HTTP connections. Exploitation can lead to unauthorized access to sensitive data, bypassing of security filters such as web application firewalls, and cache poisoning that can serve malicious content to legitimate users. This undermines the confidentiality, integrity, and availability of web services hosted on TinyWeb. Attackers can leverage this to conduct further attacks, including session hijacking, data exfiltration, or spreading malware. Given that TinyWeb is a specialized web server, the overall scope may be limited compared to more widely deployed servers, but organizations using it in critical environments face significant risk. The lack of authentication and user interaction requirements increases the likelihood of exploitation if the server is internet-facing. Additionally, the ability to bypass Content-Length restrictions can disrupt normal HTTP traffic processing, potentially causing denial of service or instability.

Organizations should immediately upgrade TinyWeb to version 2.03 or later, where the vulnerability has been patched. Until the upgrade can be applied, administrators should consider disabling persistent HTTP connections (Keep-Alive) to reduce the risk of request smuggling exploitation. Implementing strict input validation and filtering at perimeter security devices, such as web application firewalls, can help detect and block malformed HTTP requests attempting to exploit this vulnerability. Network segmentation and limiting exposure of TinyWeb servers to untrusted networks will reduce attack surface. Monitoring HTTP traffic for anomalies related to Content-Length headers and unusual request patterns can provide early detection of exploitation attempts. Additionally, conducting regular security assessments and penetration testing focused on HTTP request smuggling can help identify residual risks. Finally, organizations should maintain an inventory of all web servers in use to ensure no vulnerable TinyWeb instances remain in production.