Lucene search
+L

86 matches found

ATTACKERKB
ATTACKERKB
added 2026/03/26 8:44 p.m.1 views

CVE-2026-33622

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 through v0.8.5 allow arbitrary JavaScript execution through POST /wait and POST /tabs/id/wait when the request uses fn mode, even if security.allowEvaluate is disabled. POST /evaluate...

6.1CVSS6.2AI score0.00512EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/26 8:44 p.m.3 views

CVE-2026-33622 A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 through v0.8.5 allow arbitrary JavaScript execution through POST /wait and POST /tabs/id/wait when the request uses fn mode, even if security.allowEvaluate is disabled. POST /evaluate...

6.1CVSS6.3AI score0.00512EPSS
Exploits1References1
OSV
OSV
added 2026/03/26 8:44 p.m.8 views

CVE-2026-33622 A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 through v0.8.5 allow arbitrary JavaScript execution through POST /wait and POST /tabs/id/wait when the request uses fn mode, even if security.allowEvaluate is disabled. POST /evaluate...

6.1CVSS6.3AI score0.00512EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/26 8:42 p.m.1 views

CVE-2026-33621

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.7.7 through v0.8.4 contain incomplete request-throttling protections for auth-checkable endpoints. In v0.7.7 through v0.8.3, a fully implemented RateLimitMiddleware existed in...

4.8CVSS5.8AI score0.00308EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/26 8:42 p.m.1 views

CVE-2026-33621 PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.7.7 through v0.8.4 contain incomplete request-throttling protections for auth-checkable endpoints. In v0.7.7 through v0.8.3, a fully implemented RateLimitMiddleware existed in...

4.8CVSS5.8AI score0.00308EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/26 8:42 p.m.28 views

CVE-2026-33621 PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.7.7 through v0.8.4 contain incomplete request-throttling protections for auth-checkable endpoints. In v0.7.7 through v0.8.3, a fully implemented RateLimitMiddleware existed in...

4.8CVSS0.00308EPSS
Exploits1References3
CVE
CVE
added 2026/03/26 8:42 p.m.11 views

CVE-2026-33621

CVE-2026-33621 concerns PinchTab, a local HTTP server that exposes auth-checkable endpoints to AI agents. Public documents describe a history of incomplete request-throttling protections in versions 0.7.7–0.8.4: the RateLimitMiddleware existed but was not wired into the production handler chain, ...

6.5CVSS5.8AI score0.00308EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/26 8:42 p.m.8 views

CVE-2026-33621 PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.7.7 through v0.8.4 contain incomplete request-throttling protections for auth-checkable endpoints. In v0.7.7 through v0.8.3, a fully implemented RateLimitMiddleware existed in...

4.8CVSS6.3AI score0.00308EPSS
Exploits1References5
OSV
OSV
added 2026/03/26 8:40 p.m.6 views

CVE-2026-33620 PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.7.8 through v0.8.3 accepted the API token from a token URL query parameter in addition to the Authorization header. When a valid API credential is sent in the URL, it can be exposed through...

4.3CVSS6.3AI score0.00273EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/03/26 8:40 p.m.26 views

CVE-2026-33620 PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.7.8 through v0.8.3 accepted the API token from a token URL query parameter in addition to the Authorization header. When a valid API credential is sent in the URL, it can be exposed through...

4.3CVSS0.00273EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/26 8:40 p.m.5 views

CVE-2026-33620 PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.7.8 through v0.8.3 accepted the API token from a token URL query parameter in addition to the Authorization header. When a valid API credential is sent in the URL, it can be exposed through...

4.3CVSS5.9AI score0.00273EPSS
Exploits1References2
CVE
CVE
added 2026/03/26 8:40 p.m.13 views

CVE-2026-33620

CVE-2026-33620 concerns PinchTab, a standalone HTTP server that exposes a Chrome-control API. The affected range is PinchTab versions v0.7.8–v0.8.3, which accepted an API credential via a token URL query parameter in addition to the Authorization header. When a valid credential is passed in the U...

4.3CVSS5.8AI score0.00273EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/03/26 8:34 p.m.17 views

CVE-2026-33619

PinchTab v0.8.3 exposes an unauthenticated blind SSRF via the scheduler’s webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the scheduler issues an outbound POST to that URL at terminal state. The webhook path only validated the URL scheme, failing...

5.5CVSS5.8AI score0.00249EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/03/26 8:34 p.m.31 views

CVE-2026-33619 PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3...

4.1CVSS0.00249EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/26 8:34 p.m.2 views

CVE-2026-33619 PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3...

4.1CVSS5.9AI score0.00249EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/26 8:34 p.m.4 views

CVE-2026-33619

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3...

4.1CVSS5.8AI score0.00249EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/26 8:34 p.m.6 views

CVE-2026-33619 PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3...

4.1CVSS6.3AI score0.00249EPSS
Exploits1References5
OSV
OSV
added 2026/03/26 8:33 p.m.8 views

GO-2026-4823 PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution in github.com/pinchtab/pinchtab

PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution in github.com/pinchtab/pinchtab...

7.2CVSS5.9AI score0.02904EPSS
Exploits1References2
OSV
OSV
added 2026/03/26 8:33 p.m.5 views

GO-2026-4821 PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token in github.com/pinchtab/pinchtab

PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token in github.com/pinchtab/pinchtab...

6.5CVSS5.8AI score0.00308EPSS
Exploits1References2
OSV
OSV
added 2026/03/26 8:33 p.m.8 views

GO-2026-4822 PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems in github.com/pinchtab/pinchtab

PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems in github.com/pinchtab/pinchtab...

4.3CVSS5.8AI score0.00273EPSS
Exploits1References2
Rows per page
Query Builder