Vulnerability Description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thread for every incoming connection without enforcing a maximum concurrency limit or an appropriate request timeout. An unauthenticated remote attacker can exhaust server concurrency limits and memory by opening numerous connections and sending data exceptionally slowly (e.g. 1 byte every few minutes). Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxConnections` limit (set to 512) and a `CConnectionTimeoutSecs` idle timeout (set to 30 seconds). As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a robust reverse proxy or Web Application Firewall (WAF) such as nginx, HAProxy, or Cloudflare, configured to buffer incomplete requests and aggressively enforce connection limits and timeouts.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ritlabs | Tinyweb | < 2.02 |
Related Weaknesses (CWE)
References
- https://github.com/maximmasiutin/TinyWeb/commit/23268c8Patch
- https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-ccv5-8948-c99cVendor Advisory
- https://www.masiutin.net/tinyweb-cve-2026-27630.htmlThird Party Advisory
FAQ
What is CVE-2026-27630?
CVE-2026-27630 is a vulnerability with a CVSS score of 7.5 (HIGH). TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thre...
How severe is CVE-2026-27630?
CVE-2026-27630 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27630?
Check the references section above for vendor advisories and patch information. Affected products include: Ritlabs Tinyweb.