The affected PinchTab HTTP server versions 0.8.3 through 0.8.5 contain a security‑policy bypass that permits an authenticated user to execute arbitrary JavaScript in a Chrome tab by sending a POST /wait request with fn mode. The server directly embeds the user‑supplied fn expression into executable JavaScript and evaluates it in the browser context without honoring the security.allowEvaluate guard, which is disabled by default. This flaw effectively grants remote code execution capabilities within the controlled browser, exposing confidentiality, integrity, and availability of the system that runs the agent. The weakness aligns with CWE‑284, CWE‑693, and CWE‑94.

The vulnerability affects the PinchTab product released as a standalone HTTP server, specifically versions 0.8.3 through 0.8.5. The functionality controlled by the API allows AI agents direct command over a Chrome browser, and the flaw exists in the handling of POST /wait and POST /tabs/{id}/wait when fn mode is used. The security.allowEvaluate setting remains disabled by default, but the policy bypass ignores this guard. No other vendors or versions are reported as affected, and the current source tree has been patched to enforce the same policy boundary on fn mode.

The CVSS score of 6.1 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, reinforcing its relative novelty. Exploitation requires possession of an authenticated API token, so it cannot be leveraged through unauthenticated access. Nevertheless, once an attacker gains token access, they can inject and run malicious JavaScript inside the agent’s browser context. Until a public patch is released, the risk remains contingent on securing authentication credentials and monitoring for malicious activity.