CVE-2026-27633

Name of the Vulnerable Software and Affected Versions TinyWeb versions prior to 2.02

Description TinyWeb is a web server written in Delphi for Win32. Versions prior to 2.02 are susceptible to a Denial of Service (DoS) condition caused by memory exhaustion. An unauthenticated remote attacker can send an HTTP POST request to the server with a very large Content-Length header, such as 2147483647. The server allocates memory for the request body (EntityBody) continuously while processing the payload, without any size restrictions. This leads to the consumption of all available memory, ultimately causing the server to crash. Any service hosted using TinyWeb is potentially impacted. The issue is resolved in version 2.02, which introduces a CMaxEntityBodySize limit of 10MB for incoming payloads.

Recommendations Versions prior to 2.02 should be upgraded to version 2.02 or later. As a temporary workaround, if upgrading is not immediately possible, consider placing the server behind a Web Application Firewall (WAF) or reverse proxy (like nginx or Cloudflare) configured to limit the maximum allowed HTTP request body size (e.g., client max body size in nginx).