CVE-2026-30834

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-30834

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30834.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-30834

Aliases

Downstream

SUSE-SU-2026:1042-1

Related

SUSE-SU-2026:1042-1

Published

2026-03-07T15:36:30.036Z

Modified

2026-04-10T05:42:36.279751Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

PinchTab: SSRF with Full Response Exfiltration via Download Handler

Details

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7, a Server-Side Request Forgery (SSRF) vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content. This issue has been patched in version 0.7.7.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30834.json",
    "cwe_ids": [
        "CWE-918"
    ]
}

References

Affected packages

Git / github.com/pinchtab/pinchtab

Affected ranges

Type: GIT
Repo: https://github.com/pinchtab/pinchtab
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3b64a0565d1c4b7118da7b3912f0316775097240

Affected versions

v0.*

v0.1.0

v0.2.0

v0.3.0

v0.4.0

v0.5.0

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.7.0

v0.7.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30834.json"