CVE-2026-22781

Name of the Vulnerable Software and Affected Versions TinyWeb versions prior to 1.98

Description TinyWeb is a web server for Win32. Versions of TinyWeb HTTP Server before 1.98 contain a flaw that allows for operating system command injection. This occurs through CGI ISINDEX-style query parameters, which are passed as command-line arguments to a CGI executable using the Windows CreateProcess() function. A remote attacker who does not need to be authenticated can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. The vulnerable parameters are passed to the CreateProcess() function.

Recommendations Update to TinyWeb version 1.98 or later.