RCE in Pinchtab

CVE-2026-33622

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.001 (32.6th percentile) — read the EPSS interpretation.

Affected products

Pinchtab — versions >= 0.8.3, <= 0.8.5

Weakness classification (CWE)

References

https://github.com/pinchtab/pinchtab/security/advisories/GHSA-w5pc-m664-r62v (x_refsource_CONFIRM)