cbcvebase.

Github.Com Pinchtab Pinchtab Cmd Pinchtab vulnerabilities

3 known vulnerabilities affecting github.com/pinchtab_pinchtab_cmd_pinchtab.

Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2026-33622P2MEDIUM≥ 0.8.3, ≤ 0.8.52026-03-24
CVE-2026-33622 [MEDIUM] CWE-284 A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution ### Summary PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled. `POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by
ghsaosv
CVE-2026-33623P3MEDIUM≥ 0, < 0.8.52026-03-24
CVE-2026-33623 [MEDIUM] CWE-400 PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution ### Summary PinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using a `needle` derived from the p
ghsaosv
CVE-2026-30834P3HIGH≥ 0, < 0.7.72026-03-06
CVE-2026-30834 [HIGH] CWE-918 PinchTab has SSRF with Full Response Exfiltration via Download Handler PinchTab has SSRF with Full Response Exfiltration via Download Handler # SSRF with Full Response Exfiltration via Download Handler ### Summary A Server-Side Request Forgery (SSRF) vulnerability in the `/download` endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate th
ghsaosv
Github.Com Pinchtab Pinchtab Cmd Pinchtab vulnerabilities | cvebase