Primary

Context

Small HTTP Server Unquoted Service Path Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Patched

A vulnerability exists in Small HTTP Server version 3.06.36 due to an unquoted service path in the executable 'http.exe service'. This misconfiguration allows local attackers to place a malicious executable with the same name in a higher priority directory, leading the service to execute the malicious file instead of the legitimate one. Exploitation of this vulnerability could result in arbitrary code execution, unauthorized system access, or service disruption.

Impact

Exploitation of this vulnerability could allow arbitrary code execution, unauthorized access to the system, or disruption of the service.

Remediation

Users are advised to update to Small HTTP Server version 3.06.38, ensure that service paths are properly quoted, and restrict physical and network access to the system.

Added: Mar 26, 2026, 12:29 PM

Updated: Mar 26, 2026, 12:29 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

7.5

exploitability

3.6

remediation

7.7

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

7.5

exploitability

3.6

remediation

7.7

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Small HTTP Server Unquoted Service Path Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Impact

Remediation

Affected Products

Smallsrv Small HTTP Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating