Description
Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.
Published: 2026-05-18
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization check in the content script’s window.postMessage bridge. Malicious pages can craft spoofed messages that the extension accepts as originating from the extension itself, enabling the attacker to list, read, create, overwrite, or delete automation artifacts that belong to the affected tab.

Affected Systems

The affected product is the Summarize browser extension from steipete, in any version prior to 0.15.1. Any browser that loads this extension and visits a page that can run JavaScript in the tab is susceptible.

Risk and Exploitability

The CVSS score of 5.3 classifies this as a moderate severity issue. EPSS data is not available, and it is not listed in CISA’s KEV catalog. The likely attack vector is a malicious webpage loaded in a tab where the extension is active; the attacker does not need special network privileges but must host a page that can send the crafted postMessage to the extension’s content script.

Generated by OpenCVE AI on May 18, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Summarize extension to version 0.15.2 or later.
  • Limit the extension’s permissions by removing unnecessary host permissions and restricting the sites for which it runs.
  • If a patch is not immediately available, disable the extension’s content script message bridge or block window.postMessage from untrusted origins.

Generated by OpenCVE AI on May 18, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Steipete
Steipete summarize
Vendors & Products Steipete
Steipete summarize

Mon, 18 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.
Title Summarize < 0.15.1 Browser Extension Missing Authorization via Content Script
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Steipete Summarize
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-18T18:50:45.838Z

Reserved: 2026-05-11T14:14:49.613Z

Link: CVE-2026-45243

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-18T19:16:28.387

Modified: 2026-05-18T19:40:54.453

Link: CVE-2026-45243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T21:30:15Z

Weaknesses