CVE-2026-29046HIGH 8.2EPSS p30.4%

CVE-2026-29046CVE-2026-29046

Description

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
EPSS0.39% probability of exploitation · percentile 30.4% · 2026-06-18T12:00:27Z
Published2026-03-06
Last modified2026-03-16

Underlying weaknesses· 4

CWE-20CWE-74CWE-93CWE-114

References

  1. https://github.com/maximmasiutin/TinyWeb/commit/53aa8b6e5146491d7be57920e3fc50d7a34e4d5a
  2. https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-r3gf-pg2c-m7mc

4

TypeTargetConfidenceTier
WeaknessProcess Controlcwe-1140%live
WeaknessImproper Input Validationcwe-200%live
WeaknessImproper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')cwe-740%live
WeaknessImproper Neutralization of CRLF Sequences ('CRLF Injection')cwe-930%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-28497
CVE
CVE-2026-22781
CVE
CVE-2026-27613
CVE
CVE-2025-3266
CVE
CVE-2025-3268
CVE
CVE-2025-3267
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.