{"data":{"id":"4e898458-bc08-4a11-b823-7b1335710f31","title":"CVE-2026-33081: PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Versions 0.8.2 and below","summary":"PinchTab is an HTTP server (a program that handles web requests) that lets AI agents control a Chrome web browser. Versions 0.8.2 and earlier have a blind SSRF vulnerability (a flaw where an attacker tricks the server into making requests to internal networks that should be off-limits) in the /download endpoint, because the server only checks the URL once but the browser can follow hidden redirects to reach internal addresses. The risk is limited because the vulnerable feature is disabled by default.","solution":"The issue has been patched in version 0.8.3.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-33081","publishedAt":"2026-03-20T10:16:18.563Z","cveId":"CVE-2026-33081","cweIds":["CWE-918"],"cvssScore":"5.8","cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["PinchTab"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-03-20T10:16:18.563Z","capecIds":["CAPEC-664"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0010"]}}