CVE-2026-33619 PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3...

CVE-2026-33619

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3...

CVE-2026-33619 PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3...

CVE-2026-33619

PinchTab v0.8.3 exposes an unauthenticated blind SSRF via the scheduler’s webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the scheduler issues an outbound POST to that URL at terminal state. The webhook path only validated the URL scheme, failing...

CVE-2026-33619 PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3...

GO-2026-4860 OpenBao lacks user confirmation for OIDC direct callback mode in github.com/openbao/openbao

OpenBao lacks user confirmation for OIDC direct callback mode in github.com/openbao/openbao...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the callbackUrl parameter in the Task Scheduler process. An attacker can cause the server to make arbitrary HTTP requests to external or internal systems by supplying a crafted URL. Remediation Upgra...

GO-2026-4825 PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl in github.com/pinchtab/pinchtab

PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl in github.com/pinchtab/pinchtab...

CVE-2026-33506

Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting XSS vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter callbackUrl,...

CVE-2026-33506

Ory Polis (formerly BoxyHQ Jackson) contains a DOM-based XSS in its login flow prior to version 26.2.0 . The vulnerability stems from trusting a URL parameter callbackUrl that is passed to router.push, allowing an attacker to lure a user into opening a malicious link, which triggers a client-side...

EUVD-2026-16320

Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting XSS vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter callbackUrl,...

CVE-2026-33506

Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting XSS vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter callbackUrl,...

CVE-2026-33506 DOM-Based XSS in Ory Polis Login Page

Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting XSS vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter callbackUrl,...

CVE-2026-33506 DOM-Based XSS in Ory Polis Login Page

Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting XSS vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter callbackUrl,...

OpenBao has Reflected XSS in its OIDC authentication error message

Impact OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callbackmode=direct configured are vulnerable to XSS via the errordescription parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a...

GHSA-CPJ3-3R2F-XJ59 OpenBao has Reflected XSS in its OIDC authentication error message

Impact OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callbackmode=direct configured are vulnerable to XSS via the errordescription parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a...

OpenBao lacks user confirmation for OIDC direct callback mode

Impact OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callbackmode set to direct. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the...

GHSA-7Q7G-X6VG-XPC3 OpenBao lacks user confirmation for OIDC direct callback mode

Impact OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callbackmode set to direct. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the...

Session Fixation

Overview Affected versions of this package are vulnerable to Session Fixation in the authentication process when callbackmode is set to direct. An attacker can gain unauthorized access to a victim's session by initiating an authentication request and tricking the victim into visiting a crafted UR...

Missing Authorization

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authorization in the list.json.php endpoints of the Scheduler plugin, which lack authentication checks. An attacker can access sensitive information such a...