TinyWeb, a lightweight HTTP/HTTPS server written in Delphi for Win32 platforms, versions prior to 2.04 contain a critical vulnerability identified as CVE-2026-29046. The root cause lies in the server’s inadequate parsing of HTTP request headers, specifically its failure to strictly reject dangerous control characters such as carriage return (CR), line feed (LF), and null bytes (NUL), as well as their percent-encoded equivalents (%0d, %0a, %00). These characters can be used to confuse the header parser, leading to header value confusion across parser boundaries. This confusion allows maliciously crafted headers to inject unsafe data into the CGI environment variables (prefixed with HTTP_*), which are subsequently used in CGI script execution contexts. This unsafe data injection can lead to process control vulnerabilities (CWE-114), improper input validation (CWE-20), improper neutralization of special elements in output (CWE-74), and improper control of generation of code (CWE-93). The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 base score of 9.2 reflects the critical nature of this flaw, highlighting its network attack vector, low attack complexity, no privileges or user interaction required, and high impact on integrity and availability. Although no known exploits are currently reported in the wild, the vulnerability’s characteristics make it a prime target for attackers aiming to execute arbitrary code or disrupt services via CGI scripts. The vendor has addressed this issue in TinyWeb version 2.04 by implementing stricter header parsing and rejecting dangerous control characters and encoded forms.

The vulnerability allows attackers to inject malicious data into the CGI environment, potentially leading to arbitrary code execution, unauthorized process control, or denial of service. This can compromise the confidentiality, integrity, and availability of affected systems. Since TinyWeb is a web server, successful exploitation could allow attackers to execute commands with the privileges of the web server process, pivot within the network, or disrupt critical web services. The lack of authentication and user interaction requirements increases the risk of widespread exploitation. Organizations relying on TinyWeb for web hosting or internal applications may face data breaches, service outages, or full system compromise. The impact is especially severe in environments where TinyWeb is exposed to the internet or used to run sensitive CGI scripts.

1. Immediately upgrade TinyWeb to version 2.04 or later, where the vulnerability is patched. 2. If upgrading is not immediately possible, implement network-level controls such as web application firewalls (WAFs) to detect and block suspicious HTTP headers containing control characters or encoded equivalents. 3. Audit and sanitize all CGI environment variables rigorously to ensure no unsafe data is processed by CGI scripts. 4. Employ strict input validation and output encoding in all CGI scripts to mitigate injection risks. 5. Monitor web server logs for anomalous header values or unusual CGI environment variable content indicative of exploitation attempts. 6. Restrict the privileges of the TinyWeb process to the minimum necessary to limit potential damage from exploitation. 7. Consider isolating TinyWeb instances in segmented network zones to reduce lateral movement risk. 8. Educate developers and administrators about the risks of improper header parsing and the importance of timely patching.