CVE ID: CVE Request 1971570 Summary: TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. Severity: Critical (CVSS 4.0 Base Score: 10.0) Vulnerability Type: OS Command Injection (CWE-78) Attack Type: Remote Attack Vector: Network (unauthenticated HTTP request) Vendor: Maxim Masiutin Product: TinyWeb HTTP Server Affected Versions: All versions before 1.98 (0.5 through 1.97) Fixed Version: 1.98 (November 23, 2025) Affected Component: CGI ISINDEX query handler, ExecuteScript function Impact: Code Execution, Information Disclosure, Denial of Service, Privilege Escalation Root Cause: TinyWeb treats query strings without equals signs as ISINDEX-style input, appending them to the command line without sanitization. Attack Vector: Sending an HTTP request with shell metacharacters in the query string. Exploitation Requirements: - TinyWeb version before 1.98 - At least one CGI script present in cgi-bin directory - Network access to the TinyWeb server Fix Applied in Version 1.98: - Whitelist Validation (Optional) - Apache-style Escaping (Always Active) Mitigation: Upgrade to TinyWeb version 1.98 or later. If upgrade is not possible, remove or disable all CGI scripts from the cgi-bin directory. Timeline: - November 23, 2025: Vulnerability discovered and fixed in version 1.98 - November 23, 2025: Version 1.98 released with fix - December 27, 2025: CVE requested from MITRE - TBD: CVE ID assigned Credit: Discovered by Maxim Masiutin (maintainer)