CVE-2026-27613

Name of the Vulnerable Software and Affected Versions TinyWeb versions prior to 2.01

Description TinyWeb, a web server for Win32, contains a flaw where unauthenticated remote attackers can circumvent the CGI parameter security controls. This can lead to source code disclosure or remote code execution (RCE), depending on the server’s configuration and the CGI executable being used. Systems hosting CGI scripts, such as PHP, are potentially affected. The issue is addressed in version 2.01.

Recommendations Update to version 2.01. If an immediate upgrade is not possible, ensure STRICT CGI PARAMS is enabled. If hosting PHP, consider placing the server behind a Web Application Firewall (WAF) that blocks URL query string parameters beginning with a hyphen (-) or containing encoded double quotes (%22).