CVE-2026-33622
JavaScript Injection in PinchTab HTTP Server via /wait Endpoint
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pinchtab | pinchtab | From 0.8.3 (inc) to 0.8.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users to execute arbitrary JavaScript in browser tabs, potentially enabling unauthorized reading or modification of page state and actions within authenticated sessions.
This security policy bypass could lead to exposure or manipulation of sensitive data handled by the affected system, which may impact compliance with standards and regulations such as GDPR or HIPAA that require strict controls over data confidentiality and integrity.
However, exploitation requires authenticated API access with a valid server token, so the risk depends on the strength of access controls and the exposure of the API.
Can you explain this vulnerability to me?
CVE-2026-33622 is a security policy bypass vulnerability in PinchTab versions v0.8.3 through v0.8.5 that allows arbitrary JavaScript execution via the POST /wait and POST /tabs/{id}/wait endpoints when using the "fn" mode, even if the security.allowEvaluate setting is disabled.
The vulnerability arises because, unlike the POST /evaluate endpoint which correctly enforces the security.allowEvaluate guard, the POST /wait endpoint accepts a user-controlled JavaScript expression (fn) and directly embeds it into executable JavaScript evaluated in the browser context without enforcing the same security policy.
This means that an authenticated user with API access and a valid server token can execute arbitrary JavaScript in a browser tab context even when JavaScript evaluation is explicitly disabled by the operator.
How can this vulnerability impact me? :
This vulnerability allows an authenticated API user to bypass the security restriction that disables JavaScript evaluation, enabling arbitrary JavaScript execution within browser tabs controlled by PinchTab.
- Bypassing the explicit security.allowEvaluate control.
- Executing arbitrary JavaScript code in browser tabs.
- Reading or modifying the state of web pages loaded in the browser tabs.
- Acting within authenticated sessions, potentially leading to unauthorized actions.
However, exploitation requires authenticated API access with a valid server token, so the risk depends on the security of API access controls and exposure of sensitive browser tab contexts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying if the PinchTab server is running a vulnerable version (v0.8.3 through v0.8.5) and if the POST /wait or POST /tabs/{id}/wait endpoints accept and execute JavaScript in fn mode despite security.allowEvaluate being disabled.
A practical detection method is to attempt to execute a harmless JavaScript expression via the POST /wait endpoint using fn mode with authenticated API access and observe if the code executes in the browser tab context.
Example commands to test this (assuming you have a valid server token and access):
- 1. Confirm that POST /evaluate is blocked by policy (should return 403 if security.allowEvaluate is disabled).
- 2. Open a new tab via POST /navigate.
- 3. Send a POST request to /wait with fn mode containing a JavaScript expression, for example: {"mode":"fn", "fn":"window._poc_executed=true"}.
- 4. Verify the side effect by querying the same property (e.g., window._poc_executed) to confirm code execution.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting authenticated API access to trusted users only, as exploitation requires valid server tokens.
Additionally, monitor and limit access to the POST /wait and POST /tabs/{id}/wait endpoints, especially when using fn mode.
If possible, disable or restrict the use of fn mode in /wait endpoints until a patched version is available.
Apply the patch once it is released, which enforces the same security.allowEvaluate policy check on fn mode in /wait as is done on /evaluate, preventing arbitrary JavaScript execution.
In the meantime, consider adding monitoring or alerting for suspicious API calls that use fn mode in /wait endpoints.