Github.Com Pinchtab Pinchtab vulnerabilities
7 known vulnerabilities affecting github.com/pinchtab_pinchtab.
Total CVEs
7
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
MEDIUM6UNKNOWN1
Vulnerabilities
Page 1 of 1
CVE-2026-33622P2MEDIUM≥ 0.8.32026-03-24
CVE-2026-33622 [MEDIUM] CWE-284 A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution
A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution
### Summary
PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled.
`POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by
ghsaosv
CVE-2026-33623P3MEDIUM≥ 0, < 0.8.52026-03-24
CVE-2026-33623 [MEDIUM] CWE-400 PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution
PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution
### Summary
PinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using a `needle` derived from the p
ghsaosv
CVE-2026-30834P3UNKNOWN≥ 0, < 0.7.72026-03-10
CVE-2026-30834 PinchTab has SSRF with Full Response Exfiltration via Download Handler in github.com/pinchtab/pinchtab
PinchTab has SSRF with Full Response Exfiltration via Download Handler in github.com/pinchtab/pinchtab
PinchTab has SSRF with Full Response Exfiltration via Download Handler in github.com/pinchtab/pinchtab
osv
CVE-2026-33621P3MEDIUM≥ 0.7.7, < 0.8.52026-03-24
CVE-2026-33621 [MEDIUM] CWE-290 PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token
PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token
### Summary
PinchTab `v0.7.7` through `v0.8.4` contain incomplete request-throttling protections for auth-checkable endpoints. In `v0.7.7` through `v0.8.3`, a fully implemented `RateLimitMiddleware` existed in `internal/handlers/middleware.go` but was not inserted into the production HTTP han
ghsaosv
CVE-2026-33619P4MEDIUM≥ 0, < 0.8.42026-03-24
CVE-2026-33619 [MEDIUM] CWE-918 PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl
PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl
### Summary
PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to `POST /tasks` with a user-controlled `callbackUrl`, the v0.8.3 scheduler sends an outbound HTTP `POST` to that URL when the task reaches a term
ghsaosv
CVE-2026-33620P4MEDIUM≥ 0.7.8, < 0.8.42026-03-24
CVE-2026-33620 [MEDIUM] CWE-598 PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems
PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems
### Summary
PinchTab `v0.7.8` through `v0.8.3` accepted the API token from a `token` URL query parameter in addition to the `Authorization` header. When a valid API credential is sent in the URL, it can be exposed through request URIs recorded by intermediaries or clie
ghsaosv
CVE-2026-33081P4MEDIUM≥ 0, < 0.8.32026-03-18
CVE-2026-33081 [MEDIUM] CWE-918 PinchTab has a Blind SSRF via browser-side redirect bypass in /download URL validation
PinchTab has a Blind SSRF via browser-side redirect bypass in /download URL validation
### **The /download endpoint validates only the initial URL provided by the user using validateDownloadURL() to prevent requests to internal or private network addresses.**
Exploitation requires \security.allowDownload=true`, which is disabled by default.`
However, pages loaded by the embed
ghsaosv