Description
Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthiness. Attackers can place local or private-network URLs behind hoverable links to route authenticated requests through the daemon, potentially accessing sensitive internal endpoints when users interact with attacker-controlled content.
Published: 2026-05-18
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The hover summary feature in Summarize prior to v0.15.1 fails to verify the trustworthiness of synthetic mouseover events. When a malicious page dispatches such an event over an attacker‑controlled link, the extension performs an authenticated daemon request using stored tokens. Stakeholders can embed local or private‑network URLs behind hoverable links, causing these privileged requests to target internal services that otherwise would not be reachable to the attacker. The impact is the unauthorized execution of authenticated requests to potentially sensitive internal endpoints.

Affected Systems

The vulnerability affects the Summarize browser extension by steipete. All releases earlier than version 0.15.1 are impacted; versions 0.15.1 and newer contain a fix.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate severity, and the EPSS score is not available, while the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector involves a user visiting a malicious webpage that programmatically dispatches synthetic mouseover events over attacker‑controlled links. This action causes the extension to issue daemon requests without verifying event authenticity, potentially exposing internal endpoints to the attacker. No additional exploitation conditions are noted beyond the presence of the vulnerable extension and a user interacting with the malicious content.

Generated by OpenCVE AI on May 18, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Summarize extension to the latest stable release (0.15.2 or newer).
  • Disable or remove the hover summary feature if an immediate update is not feasible.
  • Revoke or rotate any long‑lived tokens used by the extension after applying the update to mitigate potential abuse.

Generated by OpenCVE AI on May 18, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Steipete
Steipete summarize
Vendors & Products Steipete
Steipete summarize

Mon, 18 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthiness. Attackers can place local or private-network URLs behind hoverable links to route authenticated requests through the daemon, potentially accessing sensitive internal endpoints when users interact with attacker-controlled content.
Title Summarize < 0.15.1 Unauthorized Daemon Request via Untrusted Events
Weaknesses CWE-918
CWE-940
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Steipete Summarize
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-18T20:31:54.413Z

Reserved: 2026-05-11T14:14:49.613Z

Link: CVE-2026-45245

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-18T20:16:38.593

Modified: 2026-05-18T20:19:31.307

Link: CVE-2026-45245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T20:30:05Z

Weaknesses