CVE-2026-30834

HIGH EPSS 34.0%

Published Mar 7, 20263mo ago · Modified Mar 11, 20263mo ago

7.5 CVSS 3.1

High

Published Mar 7, 2026 3mo ago

Last Modified Mar 11, 2026 3mo ago

Description

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7, a Server-Side Request Forgery (SSRF) vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content. This issue has been patched in version 0.7.7.

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity None

Availability None

Threat Intelligence

EPSS Exploit Probability

34.0% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-918 Server-Side Request Forgery (SSRF) Validation

Affected Products 1

Vendor	Product	Version	Range
pinchtab	pinchtab	*	<0.7.7

References 1

github.com https://github.com/pinchtab/pinchtab/security/advisories/GHSA-rw8p-c6hf-q3pg

ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.