Primary

Context

Small HTTP Server Unquoted Service Path Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Patched

A vulnerability exists in Small HTTP Server version 3.06.36 due to an unquoted service path for the executable 'http.exe service'. This misconfiguration enables local attackers to place a malicious executable with the same name in a higher priority directory, leading the service to execute the harmful file instead of the legitimate one. Exploitation of this vulnerability could result in arbitrary code execution, unauthorized system access, or disruption of the service.

Impact

Exploitation of this vulnerability could allow local attackers to execute arbitrary code, gain unauthorized access to the system, or disrupt the service.

Remediation

Users are advised to update to Small HTTP Server version 3.06.38, ensure that service paths are properly quoted, and restrict physical and network access to the system.

Added: Mar 26, 2026, 1:37 PM

Updated: Mar 26, 2026, 1:37 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

10.0

exploitability

3.6

remediation

7.7

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

10.0

exploitability

3.6

remediation

7.7

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Small HTTP Server Unquoted Service Path Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Impact

Remediation

Affected Products

Small HTTP Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating