{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33622", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T14:24:11.617Z", "datePublished": "2026-03-26T20:44:48.220Z", "dateUpdated": "2026-03-27T20:20:00.663Z"}, "containers": {"cna": {"title": "A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-w5pc-m664-r62v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-w5pc-m664-r62v"}], "affected": [{"vendor": "pinchtab", "product": "pinchtab", "versions": [{"version": ">= 0.8.3, <= 0.8.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:44:48.220Z"}, "descriptions": [{"lang": "en", "value": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled. `POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by default. However, in the affected releases, `POST /wait` accepted a user-controlled `fn` expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy. This is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation. The current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes. As of time of publication, a patched version is not yet available."}], "source": {"advisory": "GHSA-w5pc-m664-r62v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T20:19:52.439419Z", "id": "CVE-2026-33622", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:20:00.663Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33622", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T20:19:52.439419Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:19:57.398Z"}}], "cna": {"title": "A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution", "source": {"advisory": "GHSA-w5pc-m664-r62v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "pinchtab", "product": "pinchtab", "versions": [{"status": "affected", "version": ">= 0.8.3, <= 0.8.5"}]}], "references": [{"url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-w5pc-m664-r62v", "name": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-w5pc-m664-r62v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled. `POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by default. However, in the affected releases, `POST /wait` accepted a user-controlled `fn` expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy. This is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation. The current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes. As of time of publication, a patched version is not yet available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:44:48.220Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33622", "state": "PUBLISHED", "dateUpdated": "2026-03-27T20:20:00.663Z", "dateReserved": "2026-03-23T14:24:11.617Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T20:44:48.220Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pinchtab:pinchtab:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8BC24E9-CDA7-402A-AAC5-B47FC6591F59", "versionEndIncluding": "0.8.5", "versionStartIncluding": "0.8.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled. `POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by default. However, in the affected releases, `POST /wait` accepted a user-controlled `fn` expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy. This is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation. The current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes. As of time of publication, a patched version is not yet available."}, {"lang": "es", "value": "PinchTab es un servidor HTTP independiente que da a los agentes de IA control directo sobre un navegador Chrome. PinchTab 'v0.8.3' a 'v0.8.5' permiten la ejecuci\u00f3n arbitraria de JavaScript a trav\u00e9s de 'POST /wait' y 'POST /tabs/{id}/wait' cuando la solicitud usa el modo 'fn', incluso si 'security.allowEvaluate' est\u00e1 deshabilitado. 'POST /evaluate' aplica correctamente la protecci\u00f3n 'security.allowEvaluate', que est\u00e1 deshabilitada por defecto. Sin embargo, en las versiones afectadas, 'POST /wait' acept\u00f3 una expresi\u00f3n 'fn' controlada por el usuario, la incrust\u00f3 directamente en JavaScript ejecutable y la evalu\u00f3 en el contexto del navegador sin verificar la misma pol\u00edtica. Esto es una omisi\u00f3n de pol\u00edtica de seguridad en lugar de una omisi\u00f3n de autenticaci\u00f3n separada. La explotaci\u00f3n a\u00fan requiere acceso autenticado a la API, pero un llamador con el token del servidor puede ejecutar JavaScript arbitrario en un contexto de pesta\u00f1a incluso cuando el operador deshabilit\u00f3 expl\u00edcitamente la evaluaci\u00f3n de JavaScript. El 'worktree' actual soluciona esto aplicando el mismo l\u00edmite de pol\u00edtica al modo 'fn' en '/wait' que ya existe en '/evaluate', mientras se preservan los modos de espera que no son de c\u00f3digo. A partir del momento de la publicaci\u00f3n, una versi\u00f3n parcheada a\u00fan no est\u00e1 disponible."}], "id": "CVE-2026-33622", "lastModified": "2026-03-31T16:11:45.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:06.780", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-w5pc-m664-r62v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.8.3,0.8.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pinchtab", "source": "cna", "vendor": "pinchtab"}, "product": "pinchtab", "vendor": "pinchtab"}], "analysis": {"en": {"generated_at": "2026-03-31T17:35:40.559304+00:00", "value": {"mitigation_remediation": ["Upgrade to the patched PinchTab version once it becomes available.", "Ensure API tokens are stored securely and only issued to trusted users.", "Restrict network access to the PinchTab API to trusted hosts or VPNs.", "Keep an eye on the vendor\u2019s security advisories for updates."], "summary": {"action": "Patch ASAP", "impact": "Arbitrary JavaScript execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the PinchTab product released as a standalone HTTP server, specifically versions 0.8.3 through 0.8.5. The functionality controlled by the API allows AI agents direct command over a Chrome browser, and the flaw exists in the handling of POST /wait and POST /tabs/{id}/wait when fn mode is used. The security.allowEvaluate setting remains disabled by default, but the policy bypass ignores this guard. No other vendors or versions are reported as affected, and the current source tree has been patched to enforce the same policy boundary on fn mode.", "description_and_impact": "The affected PinchTab HTTP server versions 0.8.3 through 0.8.5 contain a security\u2011policy bypass that permits an authenticated user to execute arbitrary JavaScript in a Chrome tab by sending a POST /wait request with fn mode. The server directly embeds the user\u2011supplied fn expression into executable JavaScript and evaluates it in the browser context without honoring the security.allowEvaluate guard, which is disabled by default. This flaw effectively grants remote code execution capabilities within the controlled browser, exposing confidentiality, integrity, and availability of the system that runs the agent. The weakness aligns with CWE\u2011284, CWE\u2011693, and CWE\u201194.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog, reinforcing its relative novelty. Exploitation requires possession of an authenticated API token, so it cannot be leveraged through unauthenticated access. Nevertheless, once an attacker gains token access, they can inject and run malicious JavaScript inside the agent\u2019s browser context. Until a public patch is released, the risk remains contingent on securing authentication credentials and monitoring for malicious activity."}}}}, "created": "2026-03-27T08:31:58.553391+00:00", "updated": "2026-03-31T20:08:39.717705+00:00", "vendors": ["pinchtab", "pinchtab$PRODUCT$pinchtab"]}