{"data":{"id":"f7fc4f30-7823-49bb-972c-c0a37a39b260","title":"CVE-2026-33623: PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.4` contai","summary":"PinchTab v0.8.4, a tool that lets AI agents control Chrome browsers through an HTTP server, has a command injection vulnerability on Windows where attackers can run arbitrary PowerShell commands if they have administrative access to the server's API. The vulnerability exists because the cleanup routine doesn't properly escape PowerShell metacharacters (special characters that PowerShell interprets as commands) when building cleanup commands from profile names.","solution":"Version 0.8.5 contains a patch for the issue.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-33623","publishedAt":"2026-03-26T21:17:06.950Z","cveId":"CVE-2026-33623","cweIds":["CWE-78","CWE-400"],"cvssScore":"6.7","cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["PinchTab"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L","attackVector":"network","attackComplexity":"low","privilegesRequired":"high","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-03-26T21:17:06.950Z","capecIds":["CAPEC-125","CAPEC-130","CAPEC-88"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","availability"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}