Platform
go
Component
github.com/pinchtab/pinchtab/cmd/pinchtab
Opgelost in
0.8.4
0.8.6
CVE-2026-33622 describes a cross-site scripting (XSS) vulnerability discovered in PinchTab, a Go-based application. This flaw allows attackers to inject and execute arbitrary JavaScript code within a user's browser, potentially leading to session hijacking, data theft, or defacement. The vulnerability affects versions 0.8.3 through 0.8.5 of PinchTab and can be exploited through the /wait and /tabs/{id}/wait endpoints when using the 'fn' mode. A fix is available via upgrading to a patched version.
The primary impact of CVE-2026-33622 is the ability for an attacker to execute malicious JavaScript code in the context of a victim's browser session. This can be exploited to steal sensitive information, such as cookies and authentication tokens, allowing the attacker to impersonate the user. Furthermore, an attacker could modify the content of the page displayed to the user, potentially leading to phishing attacks or the injection of malware. The bypass of the security.allowEvaluate setting significantly increases the risk, as it circumvents a designed security control. This vulnerability is particularly concerning given PinchTab's potential use in managing browser tabs and workflows, which could expose a wide range of user data and activities.
CVE-2026-33622 was publicly disclosed on 2026-03-24. The vulnerability's nature (XSS with a security policy bypass) suggests a potentially high exploitation probability, though no public proof-of-concept (PoC) has been confirmed as of this date. It is not currently listed on the CISA KEV catalog. Given the ease of exploiting XSS vulnerabilities once a PoC is available, organizations should prioritize mitigation.
Organizations and individuals using PinchTab versions 0.8.3 through 0.8.5 are at risk. This includes users who have integrated PinchTab into their workflows or applications, particularly those who rely on the 'fn' mode for dynamic tab management. Shared hosting environments where PinchTab is deployed could expose multiple users to the vulnerability.
• linux / server:
journalctl -u pinchtab | grep -i 'fn' -i 'evaluate'• generic web:
curl -s 'https://your-pinchtab-instance/wait?fn=alert("XSS")' | grep -i 'XSS'disclosure
Exploit Status
EPSS
0.07% (23% percentiel)
CISA SSVC
The most effective mitigation for CVE-2026-33622 is to upgrade to a patched version of PinchTab that addresses the vulnerability. Unfortunately, a specific fixed version is not provided in the input. Until a patch is released, disabling the 'fn' mode in the PinchTab configuration is a crucial workaround. This prevents the vulnerable endpoints from being exploited. If upgrading is not immediately feasible, carefully review and restrict access to the /wait and /tabs/{id}/wait endpoints. Consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious JavaScript code in the 'fn' parameter. Monitor application logs for unusual activity or attempts to exploit the vulnerable endpoints.
Werk PinchTab bij naar een gepatchte versie zodra deze beschikbaar is. De kwetsbaarheid maakt willekeurige JavaScript-uitvoering mogelijk, dus het is cruciaal om de correctie zo snel mogelijk toe te passen. Raadpleeg de security advisory op GitHub voor meer informatie en updates.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-33622 is a cross-site scripting (XSS) vulnerability in PinchTab versions 0.8.3 through 0.8.5, allowing attackers to execute JavaScript code.
You are affected if you are using PinchTab versions 0.8.3, 0.8.4, or 0.8.5 and have not upgraded to a patched version.
Upgrade to a patched version of PinchTab. Until a patch is available, disable the 'fn' mode in your PinchTab configuration.
There is no confirmed active exploitation as of the last update, but the vulnerability's nature suggests a potential for exploitation.
Refer to the PinchTab project's official website or GitHub repository for updates and advisories regarding CVE-2026-33622.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je go.mod-bestand en we vertellen je direct of je getroffen bent.