Tinyweb · Tinyweb · CVE-2026-27630
**Name of the Vulnerable Software and Affected Versions**
TinyWeb versions prior to 2.02
**Description**
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. The server creates a new operating system thread for each incoming connection without enforcing a maximum concurrency limit or an appropriate request timeout. An unauthenticated remote attacker can exhaust server concurrency limits and memory by opening numerous connections and sending data very slowly. This is known as a Slowloris attack. The `CMaxConnections` limit is set to 512 and the `CConnectionTimeoutSecs` idle timeout is set to 30 seconds in version 2.02.
**Recommendations**
Versions prior to 2.02 should be upgraded to version 2.02.