CVE-2026-45245

Exploit

EPSS 0.33%
Veröffentlicht 18.05.2026 19:00:54
Zuletzt bearbeitet 19.05.2026 01:34:04
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

Summarize < 0.15.1 Unauthorized Daemon Request via Untrusted Events

Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthiness. Attackers can place local or private-network URLs behind hoverable links to route authenticated requests through the daemon, potentially accessing sensitive internal endpoints when users interact with attacker-controlled content.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Steipete ≫ Summarize Version < 0.15.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.245

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	4.6	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
disclosure@vulncheck.com	7.4	2.8	4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

CWE-940 Improper Verification of Source of a Communication Channel

The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.

https://github.com/steipete/summarize/releases/tag/v0.15.2

Release Notes

https://github.com/steipete/summarize/pull/218

Patch

Exploit

Issue Tracking

https://github.com/steipete/summarize/commit/ecbb2c414255aa480a15d0d8b205224c14cfdbcb

Patch

https://www.vulncheck.com/advisories/summarize-unauthorized-daemon-request-via-untrusted-events

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-45245

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-45245

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-45245

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-45245