Description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thread for every incoming connection without enforcing a maximum concurrency limit or an appropriate request timeout. An unauthenticated remote attacker can exhaust server concurrency limits and memory by opening numerous connections and sending data exceptionally slowly (e.g. 1 byte every few minutes). Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxConnections` limit (set to 512) and a `CConnectionTimeoutSecs` idle timeout (set to 30 seconds). As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a robust reverse proxy or Web Application Firewall (WAF) such as nginx, HAProxy, or Cloudflare, configured to buffer incomplete requests and aggressively enforce connection limits and timeouts.
INFO
Published Date :
2026-02-25T23:05:16.563Z
Last Modified :
2026-02-26T16:50:51.538Z
Source :
GitHub_M
AFFECTED PRODUCTS
The following products are affected by CVE-2026-27630 vulnerability.
| Vendors | Products |
|---|---|
| Maximmasiutin |
|
| Ritlabs |
|
REFERENCES
Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27630.
