CVE-2026-27630

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thread for every incoming connection without enforcing a maximum concurrency limit or an appropriate request timeout. An unauthenticated remote attacker can exhaust server concurrency limits and memory by opening numerous connections and sending data exceptionally slowly (e.g. 1 byte every few minutes). Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxConnections` limit (set to 512) and a `CConnectionTimeoutSecs` idle timeout (set to 30 seconds). As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a robust reverse proxy or Web Application Firewall (WAF) such as nginx, HAProxy, or Cloudflare, configured to buffer incomplete requests and aggressively enforce connection limits and timeouts.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/maximmasiutin/TinyWeb/commit/23268c8	Patch
https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-ccv5-8948-c99c	Vendor Advisory
https://www.masiutin.net/tinyweb-cve-2026-27630.html	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ritlabs:tinyweb:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-26 00:16

Updated : 2026-02-28 01:01

NVD link : CVE-2026-27630

Mitre link : CVE-2026-27630

CVE.ORG link : CVE-2026-27630

JSON object : View

Products Affected

ritlabs

tinyweb

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2026-27630", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-26T00:16:23.813", "references": [{"url": "https://github.com/maximmasiutin/TinyWeb/commit/23268c8", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-ccv5-8948-c99c", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.masiutin.net/tinyweb-cve-2026-27630.html", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thread for every incoming connection without enforcing a maximum concurrency limit or an appropriate request timeout. An unauthenticated remote attacker can exhaust server concurrency limits and memory by opening numerous connections and sending data exceptionally slowly (e.g. 1 byte every few minutes). Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxConnections` limit (set to 512) and a `CConnectionTimeoutSecs` idle timeout (set to 30 seconds). As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a robust reverse proxy or Web Application Firewall (WAF) such as nginx, HAProxy, or Cloudflare, configured to buffer incomplete requests and aggressively enforce connection limits and timeouts."}, {"lang": "es", "value": "TinyWeb es un servidor web (HTTP, HTTPS) escrito en Delphi para Win32. Las versiones anteriores a la 2.02 son vulnerables a un ataque de denegaci\u00f3n de servicio (DoS) conocido como Slowloris. El servidor genera un nuevo hilo del sistema operativo para cada conexi\u00f3n entrante sin imponer un l\u00edmite m\u00e1ximo de concurrencia o un tiempo de espera de solicitud adecuado. Un atacante remoto no autenticado puede agotar los l\u00edmites de concurrencia del servidor y la memoria abriendo numerosas conexiones y enviando datos excepcionalmente lento (por ejemplo, 1 byte cada pocos minutos). Cualquiera que aloje servicios usando TinyWeb se ve afectado. La versi\u00f3n 2.02 corrige el problema. El parche introduce un l\u00edmite 'CMaxConnections' (establecido en 512) y un tiempo de espera de inactividad 'CConnectionTimeoutSecs' (establecido en 30 segundos). Como soluci\u00f3n alternativa temporal si la actualizaci\u00f3n no es posible de inmediato, considere colocar el servidor detr\u00e1s de un proxy inverso robusto o un cortafuegos de aplicaciones web (WAF) como nginx, HAProxy o Cloudflare, configurado para almacenar en b\u00fafer las solicitudes incompletas y aplicar agresivamente los l\u00edmites y tiempos de espera de conexi\u00f3n."}], "lastModified": "2026-02-28T01:01:22.727", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ritlabs:tinyweb:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8AAA8D54-16C4-42CC-A7B8-6CDCFAA96A00", "versionEndExcluding": "2.02"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}