プラットフォーム
go
コンポーネント
github.com/pinchtab/pinchtab/cmd/pinchtab
修正版
0.8.4
0.8.6
CVE-2026-33622 describes a cross-site scripting (XSS) vulnerability discovered in PinchTab, a Go-based application. This flaw allows attackers to inject and execute arbitrary JavaScript code within a user's browser, potentially leading to session hijacking, data theft, or defacement. The vulnerability affects versions 0.8.3 through 0.8.5 of PinchTab and can be exploited through the /wait and /tabs/{id}/wait endpoints when using the 'fn' mode. A fix is available via upgrading to a patched version.
The primary impact of CVE-2026-33622 is the ability for an attacker to execute malicious JavaScript code in the context of a victim's browser session. This can be exploited to steal sensitive information, such as cookies and authentication tokens, allowing the attacker to impersonate the user. Furthermore, an attacker could modify the content of the page displayed to the user, potentially leading to phishing attacks or the injection of malware. The bypass of the security.allowEvaluate setting significantly increases the risk, as it circumvents a designed security control. This vulnerability is particularly concerning given PinchTab's potential use in managing browser tabs and workflows, which could expose a wide range of user data and activities.
CVE-2026-33622 was publicly disclosed on 2026-03-24. The vulnerability's nature (XSS with a security policy bypass) suggests a potentially high exploitation probability, though no public proof-of-concept (PoC) has been confirmed as of this date. It is not currently listed on the CISA KEV catalog. Given the ease of exploiting XSS vulnerabilities once a PoC is available, organizations should prioritize mitigation.
Organizations and individuals using PinchTab versions 0.8.3 through 0.8.5 are at risk. This includes users who have integrated PinchTab into their workflows or applications, particularly those who rely on the 'fn' mode for dynamic tab management. Shared hosting environments where PinchTab is deployed could expose multiple users to the vulnerability.
• linux / server:
journalctl -u pinchtab | grep -i 'fn' -i 'evaluate'• generic web:
curl -s 'https://your-pinchtab-instance/wait?fn=alert("XSS")' | grep -i 'XSS'disclosure
エクスプロイト状況
EPSS
0.07% (23% パーセンタイル)
CISA SSVC
The most effective mitigation for CVE-2026-33622 is to upgrade to a patched version of PinchTab that addresses the vulnerability. Unfortunately, a specific fixed version is not provided in the input. Until a patch is released, disabling the 'fn' mode in the PinchTab configuration is a crucial workaround. This prevents the vulnerable endpoints from being exploited. If upgrading is not immediately feasible, carefully review and restrict access to the /wait and /tabs/{id}/wait endpoints. Consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious JavaScript code in the 'fn' parameter. Monitor application logs for unusual activity or attempts to exploit the vulnerable endpoints.
パッチが適用されたバージョンにPinchTabをアップデートしてください。この脆弱性は任意のJavaScript実行を可能にするため、公開され次第、修正を適用することが重要です。詳細とアップデートについては、GitHubのセキュリティアドバイザリを参照してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33622 is a cross-site scripting (XSS) vulnerability in PinchTab versions 0.8.3 through 0.8.5, allowing attackers to execute JavaScript code.
You are affected if you are using PinchTab versions 0.8.3, 0.8.4, or 0.8.5 and have not upgraded to a patched version.
Upgrade to a patched version of PinchTab. Until a patch is available, disable the 'fn' mode in your PinchTab configuration.
There is no confirmed active exploitation as of the last update, but the vulnerability's nature suggests a potential for exploitation.
Refer to the PinchTab project's official website or GitHub repository for updates and advisories regarding CVE-2026-33622.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。