CVE-2026-29046

Name of the Vulnerable Software and Affected Versions TinyWeb versions prior to 2.04

Description TinyWeb, a web server for Win32, is susceptible to a header value confusion issue due to insufficient sanitization of control characters (CR, LF, and NUL, including encoded forms like %0d, %0a, and %00) within HTTP request headers. The parser's failure to strictly reject these characters and consistently defend against encoded forms can lead to unsafe data being introduced into the CGI execution context via HTTP * environment variables. This could potentially enable malicious manipulation of CGI processes.

Recommendations Update to version 2.04 or later.