CVE-2026-27630 – TinyWeb versions before 2.02 are vulnerable to ... (How to Fix)

Q: What is the severity of CVE-2026-27630?

CVE-2026-27630 has a CVSS score of 7.5 (HIGH). TinyWeb versions before 2.02 are vulnerable to Slowloris denial-of-service attacks where attackers can exhaust server resources by opening many connections and sending data extremely slowly. Anyone hosting services with vulnerable TinyWeb versions is affected. The vulnerability allows unauthenticated remote attackers to make the web server unresponsive.

📋 TL;DR

TinyWeb versions before 2.02 are vulnerable to Slowloris denial-of-service attacks where attackers can exhaust server resources by opening many connections and sending data extremely slowly. Anyone hosting services with vulnerable TinyWeb versions is affected. The vulnerability allows unauthenticated remote attackers to make the web server unresponsive.

💻 Affected Systems

Products:

TinyWeb

Versions: All versions prior to 2.02

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. The server is written in Delphi for Win32.

📦 What is this software?

Tinyweb by Ritlabs

View all CVEs affecting Tinyweb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage making the web server completely unresponsive to legitimate users, potentially for extended periods until manual intervention.

🟠

Likely Case

Service degradation or intermittent unavailability as server resources are consumed by malicious connections.

🟢

If Mitigated

Minimal impact with proper connection limits and timeouts enforced via patching or reverse proxy.

🌐 Internet-Facing: HIGH - Internet-facing servers are directly exposed to unauthenticated remote attackers.

🏢 Internal Only: MEDIUM - Internal servers could still be targeted by internal threat actors or compromised systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Slowloris is a well-known attack technique with many public tools available. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.02

Vendor Advisory: https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-ccv5-8948-c99c

Restart Required: Yes

Instructions:

1. Download TinyWeb version 2.02 or later from the official repository. 2. Replace the existing TinyWeb executable with the patched version. 3. Restart the TinyWeb service or process.

🔧 Temporary Workarounds

Reverse Proxy with Connection Limits

all

Place TinyWeb behind a reverse proxy like nginx or HAProxy that enforces connection limits and timeouts

# nginx example configuration
worker_processes auto;
events {
    worker_connections 1024;
}
http {
    proxy_read_timeout 30s;
    proxy_connect_timeout 30s;
    proxy_send_timeout 30s;
    # ... rest of configuration

🧯 If You Can't Patch

Deploy a Web Application Firewall (WAF) like Cloudflare or ModSecurity configured to detect and block Slowloris patterns
Implement network-level controls such as rate limiting or connection limiting at the firewall/load balancer

🔍 How to Verify

Check if Vulnerable:

Check if TinyWeb version is below 2.02. The vulnerability exists if no connection limits or idle timeouts are configured.

Check Version:

Check the TinyWeb executable properties or run it with --version flag if available

Verify Fix Applied:

Verify TinyWeb version is 2.02 or higher and check that CMaxConnections and CConnectionTimeoutSecs parameters are properly configured.

📡 Detection & Monitoring

Log Indicators:

Large number of simultaneous connections from single IPs
Connections remaining open for unusually long periods without completing requests
Server resource exhaustion warnings

Network Indicators:

Multiple TCP connections from same source with very slow data transmission
Incomplete HTTP requests that never finish
Abnormally high number of concurrent connections

SIEM Query:

source="tinyweb.log" AND (connection_count > 500 OR connection_duration > 300)

📊 Metadata

CVE ID: CVE-2026-27630

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: February 26, 2026

Last Updated: February 28, 2026

🔗 References

https://github.com/maximmasiutin/TinyWeb/commit/23268c8 Patch
https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-ccv5-8948-c99c Vendor Advisory
https://www.masiutin.net/tinyweb-cve-2026-27630.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27630, you might also want to check these: