The flaw in Summarize before version 0.15.1 removes an authorization check that is required when the extension automation feature is enabled. An attacker that can supply malicious content to the extension—such as a crafted page or summary—can invoke automatic browser actions (navigation, debugger‑backed commands, etc.) without the normal user approval step. Because the vendor’s CNA classified this issue as CWE‑862, the vulnerability is an example of missing authorization, allowing an attacker to trigger browser automation functions that could be used to stealthily modify the user’s browsing context, exfiltrate data, or perform other automated tasks without the user’s knowledge.

steipete summarizes application prior to version 0.15.1 is vulnerable. Users who are running any earlier release of Summarize and have the extension automation feature enabled are exposed; specific product names are summarized by steipete:summarize, and the affected range is any release before 0.15.1.

The CVSS score of 2.1 classifies this as a low‑severity concern, and no EPSS score is available. It is not listed in CISA’s KEV catalog. The vulnerability can be exploited when an attacker can deliver malicious content to a user of the software, for example by hosting a malicious webpage or injecting dangerous content into a summary. The attacker’s ability to trigger automated actions without user approval means that, while the damage scope is limited to automated browser actions within the application, it can still be used to compromise user data or facilitate social‑engineering attacks. The lack of availability of an EPSS score and the low CVSS suggest that widespread exploitation is currently unlikely, but the attack vector is realistic for an attacker with access to user content.