QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-22781

Back to search

CVE-2026-22781

Published: Jan 12, 2026

Modified: Jan 12, 2026

PUBLISHED

Description

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98.

VendorProductVersions

maximmasiutin

TinyWeb

affected
< 1.98

Weaknesses (CWE)

CWE-78

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now