Description

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using a `needle` derived from the profile path. In `v0.8.4`, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters. If an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they may be able to execute arbitrary PowerShell commands on the Windows host in the security context of the PinchTab process user. This is not an unauthenticated internet RCE. It requires authenticated, administrative-equivalent API access to instance lifecycle endpoints, and the resulting command execution inherits the permissions of the PinchTab OS user rather than bypassing host privilege boundaries. Version 0.8.5 contains a patch for the issue.

INFO

Published Date :

2026-03-26T20:47:05.652Z

Last Modified :

2026-03-27T20:01:25.733Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33623 vulnerability.

Vendors Products
Pinchtab
  • Pinchtab
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33623.

URL Resource
https://github.com/pinchtab/pinchtab/commit/25b3374bdcdf0dad32c44d5d726bf953238cd8bd cve-icon cve-icon
https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact