平台
go
组件
github.com/pinchtab/pinchtab/cmd/pinchtab
修复版本
0.8.4
0.8.6
CVE-2026-33622 describes a cross-site scripting (XSS) vulnerability discovered in PinchTab, a Go-based application. This flaw allows attackers to inject and execute arbitrary JavaScript code within a user's browser, potentially leading to session hijacking, data theft, or defacement. The vulnerability affects versions 0.8.3 through 0.8.5 of PinchTab and can be exploited through the /wait and /tabs/{id}/wait endpoints when using the 'fn' mode. A fix is available via upgrading to a patched version.
The primary impact of CVE-2026-33622 is the ability for an attacker to execute malicious JavaScript code in the context of a victim's browser session. This can be exploited to steal sensitive information, such as cookies and authentication tokens, allowing the attacker to impersonate the user. Furthermore, an attacker could modify the content of the page displayed to the user, potentially leading to phishing attacks or the injection of malware. The bypass of the security.allowEvaluate setting significantly increases the risk, as it circumvents a designed security control. This vulnerability is particularly concerning given PinchTab's potential use in managing browser tabs and workflows, which could expose a wide range of user data and activities.
CVE-2026-33622 was publicly disclosed on 2026-03-24. The vulnerability's nature (XSS with a security policy bypass) suggests a potentially high exploitation probability, though no public proof-of-concept (PoC) has been confirmed as of this date. It is not currently listed on the CISA KEV catalog. Given the ease of exploiting XSS vulnerabilities once a PoC is available, organizations should prioritize mitigation.
Organizations and individuals using PinchTab versions 0.8.3 through 0.8.5 are at risk. This includes users who have integrated PinchTab into their workflows or applications, particularly those who rely on the 'fn' mode for dynamic tab management. Shared hosting environments where PinchTab is deployed could expose multiple users to the vulnerability.
• linux / server:
journalctl -u pinchtab | grep -i 'fn' -i 'evaluate'• generic web:
curl -s 'https://your-pinchtab-instance/wait?fn=alert("XSS")' | grep -i 'XSS'disclosure
漏洞利用状态
EPSS
0.07% (23% 百分位)
CISA SSVC
The most effective mitigation for CVE-2026-33622 is to upgrade to a patched version of PinchTab that addresses the vulnerability. Unfortunately, a specific fixed version is not provided in the input. Until a patch is released, disabling the 'fn' mode in the PinchTab configuration is a crucial workaround. This prevents the vulnerable endpoints from being exploited. If upgrading is not immediately feasible, carefully review and restrict access to the /wait and /tabs/{id}/wait endpoints. Consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious JavaScript code in the 'fn' parameter. Monitor application logs for unusual activity or attempts to exploit the vulnerable endpoints.
升级 PinchTab 到打补丁版本,一旦可用。该漏洞允许任意 JavaScript 执行,因此在发布修复程序后尽快应用该修复至关重要。有关更多信息和更新,请参阅 GitHub 安全公告。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-33622 is a cross-site scripting (XSS) vulnerability in PinchTab versions 0.8.3 through 0.8.5, allowing attackers to execute JavaScript code.
You are affected if you are using PinchTab versions 0.8.3, 0.8.4, or 0.8.5 and have not upgraded to a patched version.
Upgrade to a patched version of PinchTab. Until a patch is available, disable the 'fn' mode in your PinchTab configuration.
There is no confirmed active exploitation as of the last update, but the vulnerability's nature suggests a potential for exploitation.
Refer to the PinchTab project's official website or GitHub repository for updates and advisories regarding CVE-2026-33622.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 go.mod 文件,立即知道是否受影响。