{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29046", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T17:50:11.243Z", "datePublished": "2026-03-06T02:54:11.026Z", "dateUpdated": "2026-03-06T16:10:18.974Z"}, "containers": {"cna": {"title": "TinyWeb: HTTP Header Control Character Injection into CGI Environment", "problemTypes": [{"descriptions": [{"cweId": "CWE-114", "lang": "en", "description": "CWE-114: Process Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "baseScore": 9.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L", "version": "4.0"}}], "references": [{"name": "https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-r3gf-pg2c-m7mc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-r3gf-pg2c-m7mc"}, {"name": "https://github.com/maximmasiutin/TinyWeb/commit/53aa8b6e5146491d7be57920e3fc50d7a34e4d5a", "tags": ["x_refsource_MISC"], "url": "https://github.com/maximmasiutin/TinyWeb/commit/53aa8b6e5146491d7be57920e3fc50d7a34e4d5a"}], "affected": [{"vendor": "maximmasiutin", "product": "TinyWeb", "versions": [{"version": "< 2.04", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T02:54:11.026Z"}, "descriptions": [{"lang": "en", "value": "TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04."}], "source": {"advisory": "GHSA-r3gf-pg2c-m7mc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T16:00:27.430109Z", "id": "CVE-2026-29046", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:10:18.974Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29046", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T16:00:27.430109Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:00:28.596Z"}}], "cna": {"title": "TinyWeb: HTTP Header Control Character Injection into CGI Environment", "source": {"advisory": "GHSA-r3gf-pg2c-m7mc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "maximmasiutin", "product": "TinyWeb", "versions": [{"status": "affected", "version": "< 2.04"}]}], "references": [{"url": "https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-r3gf-pg2c-m7mc", "name": "https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-r3gf-pg2c-m7mc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/maximmasiutin/TinyWeb/commit/53aa8b6e5146491d7be57920e3fc50d7a34e4d5a", "name": "https://github.com/maximmasiutin/TinyWeb/commit/53aa8b6e5146491d7be57920e3fc50d7a34e4d5a", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-114", "description": "CWE-114: Process Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T02:54:11.026Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29046", "state": "PUBLISHED", "dateUpdated": "2026-03-06T16:10:18.974Z", "dateReserved": "2026-03-03T17:50:11.243Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T02:54:11.026Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ritlabs:tinyweb:*:*:*:*:*:*:*:*", "matchCriteriaId": "4B7867E0-22DE-4F76-BBB6-A7C6E1FD4231", "versionEndExcluding": "2.04", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04."}, {"lang": "es", "value": "TinyWeb es un servidor web (HTTP, HTTPS) escrito en Delphi para Win32. Antes de la versi\u00f3n 2.04, TinyWeb acepta valores de encabezado de solicitud y luego los mapea en variables de entorno CGI (HTTP_*). El analizador no rechazaba estrictamente los caracteres de control peligrosos en las l\u00edneas de encabezado y los valores de encabezado, incluyendo CR, LF y NUL, y no se defend\u00eda consistentemente contra formas codificadas como %0d, %0a y %00. Esto puede permitir la confusi\u00f3n de valores de encabezado a trav\u00e9s de los l\u00edmites del analizador y puede crear datos inseguros en el contexto de ejecuci\u00f3n CGI. Este problema ha sido parcheado en la versi\u00f3n 2.04."}], "id": "CVE-2026-29046", "lastModified": "2026-03-16T15:00:12.227", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T04:16:08.740", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/maximmasiutin/TinyWeb/commit/53aa8b6e5146491d7be57920e3fc50d7a34e4d5a"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-r3gf-pg2c-m7mc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-93"}, {"lang": "en", "value": "CWE-114"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.04)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "TinyWeb", "source": "cna", "vendor": "maximmasiutin"}, "product": "tinyweb", "vendor": "maximmasiutin"}], "analysis": {"en": {"generated_at": "2026-04-17T12:27:55.110189+00:00", "value": {"mitigation_remediation": ["Upgrade TinyWeb to version 2.04 or later to receive the patch that removes the unsafe header handling and rejects control characters. ", "If an upgrade is not immediately possible, isolate the affected server behind a reverse proxy or firewall that sanitizes incoming header content, stripping or rejecting CR, LF, and NUL bytes before they reach the TinyWeb process. ", "Configure the web service to enforce strict TLS or authentication controls where feasible, limiting exposure to untrusted clients and reducing the attack surface for header injection."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all TinyWeb releases prior to version 2.04. The affected product, TinyWeb, is distributed by the developer Maxim Masutin. Clients running any pre\u20112.04 build\u2014regardless of minor patch levels\u2014are susceptible until they apply the patch included in 2.04 or later.", "description_and_impact": "TinyWeb, a Delphi-based web server, incorrectly parses HTTP header values and passes them to CGI scripts as environment variables. Because the parser does not reject dangerous control characters\u2014such as CR, LF, and NUL\u2014and fails to reject encoded forms (%0d, %0a, %00), an attacker can inject malformed header content that propagates into the CGI execution context. This manipulation can alter request processing, inject code or commands, and ultimately allow the execution of arbitrary code on the host running the web server. The flaw falls under several weaknesses including improper input validation and unsafe handling of environment data.", "risk_and_exploitability": "The CVSS score of 9.2 indicates a high\u2011severity threat, but the EPSS score of less than 1% suggests that active exploitation in the wild is currently unlikely. The vulnerability is reachable over the network through crafted HTTP requests, and it does not require local access or elevated privileges on the target system. The flaw is not listed in the CISA KEV catalog, but its potential for remote code execution warrants immediate attention."}}}}, "created": "2026-03-06T14:56:10.027440+00:00", "updated": "2026-04-17T12:30:06.281328+00:00", "vendors": ["maximmasiutin", "maximmasiutin$PRODUCT$tinyweb"]}