The hover summary feature in Summarize prior to v0.15.1 fails to verify the trustworthiness of synthetic mouseover events. When a malicious page dispatches such an event over an attacker‑controlled link, the extension performs an authenticated daemon request using stored tokens. Stakeholders can embed local or private‑network URLs behind hoverable links, causing these privileged requests to target internal services that otherwise would not be reachable to the attacker. The impact is the unauthorized execution of authenticated requests to potentially sensitive internal endpoints.

The vulnerability affects the Summarize browser extension by steipete. All releases earlier than version 0.15.1 are impacted; versions 0.15.1 and newer contain a fix.

The CVSS score of 4.6 indicates moderate severity, and the EPSS score is not available, while the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector involves a user visiting a malicious webpage that programmatically dispatches synthetic mouseover events over attacker‑controlled links. This action causes the extension to issue daemon requests without verifying event authenticity, potentially exposing internal endpoints to the attacker. No additional exploitation conditions are noted beyond the presence of the vulnerable extension and a user interacting with the malicious content.