Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
PinchTab: Unapproved Browser Access to Internal Systems
GHSA-rw8p-c6hf-q3pg
CVE-2026-30834
GHSA-rw8p-c6hf-q3pg
Summary
A security issue in PinchTab's download feature let unauthorized users potentially access internal systems and sensitive data. This has been fixed in version 0.7.7. Update to the latest version to prevent this risk.
What to do
- Update github.com pinchtab to version 0.7.7.
- Update pinchtab github.com/pinchtab/pinchtab/cmd/pinchtab to version 0.7.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | pinchtab | <= 0.7.6 | 0.7.7 |
| pinchtab | github.com/pinchtab/pinchtab/cmd/pinchtab | <= 0.7.7 | 0.7.7 |
| pinchtab | pinchtab | <= 0.7.7 | – |
Original title
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7, a Server-Side Request Forgery (SSRF) vulnerability in the /download endpoint ...
Original description
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7, a Server-Side Request Forgery (SSRF) vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content. This issue has been patched in version 0.7.7.
ghsa CVSS3.1
7.5
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026