CVE-2026-22781

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2026-22781
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22781.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-22781
Aliases
  • GHSA-m779-84h5-72q2
Published
2026-01-12T18:23:00.512Z
Modified
2026-01-12T19:56:22.037668Z
Severity
  • 10.0 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
TinyWeb CGI Command Injection
Details

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22781.json",
    "cwe_ids": [
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/maximmasiutin/tinyweb

Affected ranges

Type
GIT
Repo
https://github.com/maximmasiutin/tinyweb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3407898cefc109d5e2138fffedf91c8aa0f3ecd4
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.98"
        }
    ]
}

Affected versions

v1.*

v1.95
v1.96
v1.97

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22781.json"