Platform
go
Component
github.com/pinchtab/pinchtab/cmd/pinchtab
Fixed in
0.8.4
0.8.6
CVE-2026-33622 describes a cross-site scripting (XSS) vulnerability discovered in PinchTab, a Go-based application. This flaw allows attackers to inject and execute arbitrary JavaScript code within a user's browser, potentially leading to session hijacking, data theft, or defacement. The vulnerability affects versions 0.8.3 through 0.8.5 of PinchTab and can be exploited through the /wait and /tabs/{id}/wait endpoints when using the 'fn' mode. A fix is available via upgrading to a patched version.
The primary impact of CVE-2026-33622 is the ability for an attacker to execute malicious JavaScript code in the context of a victim's browser session. This can be exploited to steal sensitive information, such as cookies and authentication tokens, allowing the attacker to impersonate the user. Furthermore, an attacker could modify the content of the page displayed to the user, potentially leading to phishing attacks or the injection of malware. The bypass of the security.allowEvaluate setting significantly increases the risk, as it circumvents a designed security control. This vulnerability is particularly concerning given PinchTab's potential use in managing browser tabs and workflows, which could expose a wide range of user data and activities.
CVE-2026-33622 was publicly disclosed on 2026-03-24. The vulnerability's nature (XSS with a security policy bypass) suggests a potentially high exploitation probability, though no public proof-of-concept (PoC) has been confirmed as of this date. It is not currently listed on the CISA KEV catalog. Given the ease of exploiting XSS vulnerabilities once a PoC is available, organizations should prioritize mitigation.
Exploit Status
EPSS
0.07% (23% percentile)
CISA SSVC
The most effective mitigation for CVE-2026-33622 is to upgrade to a patched version of PinchTab that addresses the vulnerability. Unfortunately, a specific fixed version is not provided in the input. Until a patch is released, disabling the 'fn' mode in the PinchTab configuration is a crucial workaround. This prevents the vulnerable endpoints from being exploited. If upgrading is not immediately feasible, carefully review and restrict access to the /wait and /tabs/{id}/wait endpoints. Consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious JavaScript code in the 'fn' parameter. Monitor application logs for unusual activity or attempts to exploit the vulnerable endpoints.
Update PinchTab to a patched version when available. The vulnerability allows arbitrary JavaScript execution, so it is crucial to apply the fix as soon as it is released. See the security advisory on GitHub for more information and updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33622 is a cross-site scripting (XSS) vulnerability in PinchTab versions 0.8.3 through 0.8.5, allowing attackers to execute JavaScript code.
You are affected if you are using PinchTab versions 0.8.3, 0.8.4, or 0.8.5 and have not upgraded to a patched version.
Upgrade to a patched version of PinchTab. Until a patch is available, disable the 'fn' mode in your PinchTab configuration.
There is no confirmed active exploitation as of the last update, but the vulnerability's nature suggests a potential for exploitation.
Refer to the PinchTab project's official website or GitHub repository for updates and advisories regarding CVE-2026-33622.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.