PinchTab, a standalone HTTP server that lets AI agents control a Chrome browser, contains a Windows‑only command injection flaw in its orphaned Chrome cleanup routine. When a user instance is stopped, the cleanup path builds a PowerShell‐Command string from the supplied profile path. In version 0.8.4 the code escapes backslashes but does not neutralize other PowerShell metacharacters, allowing an attacker to inject custom commands. The flaw permits execution of arbitrary PowerShell code under the operating system account that runs the PinchTab process. It is not a publicly exposed internet RCE; an attacker must first have authenticated, administrative‑equivalent API access to instance lifecycle endpoints and then launch an instance with a malicious profile name before triggering the cleanup step. The vulnerability carries a CVSS score of 6.7 (medium) and has a low EPSS probability of less than 1 %. It is not listed in the CISA KEV catalog. While exploitation requires privileged API access, the potential impact is significant within a compromised environment, as any injected PowerShell commands would execute with the PinchTab OS user’s privileges.

The affected product is PinchTab’s standalone HTTP server, specifically version 0.8.4. The issue is limited to Windows platforms and has been addressed in version 0.8.5, which includes the necessary input sanitization. No other vendors or product variants are reported affected by this item. Users operating PinchTab v0.8.4 on Windows should be aware of this vulnerability and plan an upgrade. The problem is confined to the cleanup process; other functionalities of PinchTab are not directly impacted.

Exploiting the injection requires three steps: obtain privileged API access, create an instance with a crafted profile name, then stop the instance to trigger the cleanup routine. Once executed, the injected command runs under the PinchTab process user, which could be an elevated account if the service is configured with administrative rights. Because the CVSS score is moderate and the EPSS is low, widespread exploitation is unlikely, but within a trusted network the risk is significant. The lack of a public internet RCE vector mitigates some exposure, yet internal attackers remain able to compromise the host through this flaw.