CVE-2026-30834
HIGHPinchTab < 0.7.7 - Server-Side Request Forgery via Download Endpoint
Title source: llmDescription
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7, a Server-Side Request Forgery (SSRF) vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content. This issue has been patched in version 0.7.7.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/pinchtab/pinchtab/security/advisories/GHSA-rw8p-c6hf-q3pg
Scores
CVSS v3
7.5
EPSS
0.0042
EPSS Percentile
33.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
pinchtab/pinchtab
< 0.7.7
pinchtab/pinchtab
0 - 0.7.7Go
Published
Mar 07, 2026
Tracked Since
Mar 07, 2026