TROYANOSYVIRUS
Zuruck zu CVEs

CVE-2026-27630

HIGH
7.5

Beschreibung

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thread for every incoming connection without enforcing a maximum concurrency limit or an appropriate request timeout. An unauthenticated remote attacker can exhaust server concurrency limits and memory by opening numerous connections and sending data exceptionally slowly (e.g. 1 byte every few minutes). Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxConnections` limit (set to 512) and a `CConnectionTimeoutSecs` idle timeout (set to 30 seconds). As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a robust reverse proxy or Web Application Firewall (WAF) such as nginx, HAProxy, or Cloudflare, configured to buffer incomplete requests and aggressively enforce connection limits and timeouts.

CVE Details

CVSS v3.1 Bewertung7.5
SchweregradHIGH
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht2/26/2026
Zuletzt geandert2/28/2026
Quellenvd
Honeypot-Sichtungen0

Betroffene Produkte

ritlabs:tinyweb

Schwachen (CWE)

CWE-400CWE-770

Referenzen

https://github.com/maximmasiutin/TinyWeb/commit/23268c8(security-advisories@github.com)
https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-ccv5-8948-c99c(security-advisories@github.com)
https://www.masiutin.net/tinyweb-cve-2026-27630.html(security-advisories@github.com)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.