CVE-2026-29046 - TinyWeb: HTTP Header Control Character Injection into CGI Environment

CVE ID : CVE-2026-29046 Published : March 6, 2026, 2:54 a.m. | 55 minutes ago Description : TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against encoded forms such as %0d, %0a, and %00. This can enable header value confusion across parser boundaries and may create unsafe data in the CGI execution context. This issue has been patched in version 2.04. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...