CVE 10 CRITICAL

TinyWeb CGI Command Injection_CVE-2026-22781

January 12, 2026 invoker category_cve

10 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98.

AI Analysis

TinyWeb HTTP Server is vulnerable to OS command injection via CGI ISINDEX-style query parameters, allowing an unauthenticated remote attacker to execute arbitrary commands on the server.

Basic Information

ID CVE-2026-22781

Source GitHub_M

Published Jan 12, 2026 at 18:23

Affected Product

Vendor maximmasiutin

Product TinyWeb

Version < 1.98

Affected Versions maximmasiutin TinyWeb < 1.98

CWE Classification

CWE-78

AI Assessment

AI Score 10 / 10

AI Severity Critical

Vendor maximmasiutin

Product TinyWeb HTTP Server

Version < 1.98

References

{
    "lastseen": "",
    "description": "TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98.",
    "published": "2026-01-12T18:23:00.512Z",
    "modified": "2026-01-12T18:23:00.512Z",
    "type": "cve",
    "title": "TinyWeb CGI Command Injection",
    "source": "GitHub_M",
    "references": "https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-m779-84h5-72q2\nhttps://github.com/maximmasiutin/TinyWeb/commit/876b7e2887f4ea5be3e18bb2af7313f23a283c96\nhttps://www.masiutin.net/tinyweb-cve-2025-cgi-command-injection.html",
    "id": "CVE-2026-22781",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "maximmasiutin TinyWeb < 1.98",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "TinyWeb",
    "version": "< 1.98",
    "vendor": "maximmasiutin",
    "ai_description": "TinyWeb HTTP Server is vulnerable to OS command injection via CGI ISINDEX-style query parameters, allowing an unauthenticated remote attacker to execute arbitrary commands on the server.",
    "ai_severity": "Critical",
    "ai_vendor": "maximmasiutin",
    "ai_product": "TinyWeb HTTP Server",
    "ai_version": "< 1.98",
    "ai_score": 10
}

💭 Join the Security Discussion ❌ Cancel Reply