CVE-2026-33622

Name of the Vulnerable Software and Affected Versions PinchTab versions 0.8.3 through 0.8.5

Description PinchTab versions 0.8.3 through 0.8.5 contain a security bypass that allows arbitrary JavaScript execution through the POST /wait and POST /tabs/{id}/wait API endpoints when using fn mode, even if security.allowEvaluate is disabled. The POST /evaluate endpoint correctly enforces the security.allowEvaluate guard, but the affected versions of POST /wait accept a user-controlled fn expression, embed it directly into executable JavaScript, and evaluate it in the browser context without the same policy check. Exploitation requires authenticated API access with a server token, enabling an attacker to execute arbitrary JavaScript in a tab context, even when JavaScript evaluation is explicitly disabled by the operator. The issue stems from the lack of a policy check in the fn mode of the /wait endpoint, while the /evaluate endpoint enforces the security.allowEvaluate setting. The fn mode builds executable JavaScript from the request field and passes it to chromedp.Evaluate, allowing a caller to supply expressions with side effects.

Recommendations Update to a newer version of PinchTab that contains a fix for this vulnerability. As a temporary workaround, consider disabling the fn mode in the /wait endpoint until a patch is available.