Multiple vulnerabilities in Small HTTP server by Smallsrv
Posted date 26/03/2026
Identificador
INCIBE-2026-232
Importance
4 - High
Affected Resources
Small HTTP server V3.06.36;
Description
INCIBE has coordinated the publication of two high-severity vulnerabilities affecting Smallsrv's Small HTTP server, a very lightweight and portable web server for Windows. The vulnerability has been discovered by Rafael Pedrero.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:
- CVE-2025-41368: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-22
- CVE-2025-41359: CVSS v4.0: 8.5 | CVSS AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-428
Solution
The vulnerability has been fixed in version V3.06.38.
Detail
- CVE-2025-41368: problem in the Small HTTP Server v3.06.36 service. An authenticated path traversal vulnerability in '/' allows remote users to bypass the intended restrictions of SecurityManager and display any file if they have the appropriate permissions outside the document root configured on the server.
- CVE-2025-41359: vulnerability related to an unquoted service path in Small HTTP Server 3.06.36, specifically affecting the executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. This misconfiguration allows a local attacker to place a malicious executable with the same name in a higher priority directory, causing the service to execute the malicious file instead of the legitimate one. Exploiting this flaw could allow arbitrary code execution, unauthorized access to the system, or service disruption. To mitigate the risk, the service path must be properly quoted, and systems must be kept up to date with security patches, while restricting physical and network access.
CVE
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2025-41368 | Alta | No | Smallsrv |
| CVE-2025-41359 | Alta | No | Smallsrv |
References list
Etiquetas
