Home > Vulnerability Database > CVE-2026-22781

Mend.io Vulnerability Database

CVE-2026-22781

Good to know:

Date: January 12, 2026

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98.

Severity Score

10.0

Related Resources (5)

Url: https://github.com/maximmasiutin/TinyWeb/commit/876b7e2887f4ea5be3e18bb2af7313f23a283c96

Url: https://www.masiutin.net/tinyweb-cve-2025-cgi-command-injection.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-22781

Url: https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-m779-84h5-72q2

Url: https://www.mend.io/vulnerability-database/CVE-2026-22781

Severity Score

10.0

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

Top Fix

Upgrade Version

Upgrade to version https://github.com/maximmasiutin/TinyWeb.git - v1.98;https://github.com/maximmasiutin/TinyWeb.git - v1.98

Learn More

CVSS v3.1

Base Score:	10.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-22781

Good to know:

Date: January 12, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?