TinyWeb HTTP Server Uncontrolled Resource Consumption DoS via Content-Length (CVE-2026-27633)

The following key vulnerability information can be extracted from this webpage screenshot: CVE ID: CVE-2026-27633 Risk Severity: High (CVSS Base Score: 8.7) Vulnerability Type: Uncontrolled Resource Consumption (CWE-400), Memory Exhaustion Product: TinyWeb HTTP Server Impacted Version: Version 2.01 and below Fix Version: 2.02 (February 25, 2026) CVSS Score: 8.7 Severity: High Vector String: AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Description: When an HTTP request includes a header, the server fails to properly enforce a maximum limit on the HTTP request body size before allocating memory. Unauthenticated remote attackers can send a Request with a very large , causing the server to continuously reallocate memory until it exhausts all available resources and crashes. Affected code snippet from : Fix: The issue was addressed in version 2.02 by introducing a maximum payload size limit: - defines the maximum size of accepted HTTP request bodies, default set to 10MB. - Excessively sized requests receive an immediate HTTP 413 Payload Too Large response. - Commit is . Workaround: If upgrading to version 2.02 isn't feasible, mitigate by placing a Web Application Firewall (WAF) or reverse proxy to limit the maximum HTTP request body size. References**: - TinyWeb GitHub Repository - CWE-400: Uncontrolled Resource Consumption - CVE-2015-3183: Apache HTTP Content-Length DoS - CVE-2019-9517: HTTP/2 internal data limit

Goal Reached Thanks to every supporter — we hit 100%!

TinyWeb HTTP Server Uncontrolled Resource Consumption DoS via Content-Length (CVE-2026-27633)