High severity7.4NVD Advisory· Published May 18, 2026· Updated May 19, 2026
CVE-2026-45245
CVE-2026-45245
Description
Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthiness. Attackers can place local or private-network URLs behind hoverable links to route authenticated requests through the daemon, potentially accessing sensitive internal endpoints when users interact with attacker-controlled content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@steipete/summarizenpm | < 0.15.1 | 0.15.1 |
Affected products
3Patches
Vulnerability mechanics
References
7- github.com/steipete/summarize/commit/ecbb2c414255aa480a15d0d8b205224c14cfdbcbnvdPatchWEB
- github.com/steipete/summarize/pull/218nvdExploitIssue TrackingPatchWEB
- github.com/advisories/GHSA-2r69-qgv3-hr65ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-45245ghsaADVISORY
- www.vulncheck.com/advisories/summarize-unauthorized-daemon-request-via-untrusted-eventsnvdThird Party AdvisoryWEB
- github.com/steipete/summarize/releases/tag/v0.15.1ghsaWEB
- github.com/steipete/summarize/releases/tag/v0.15.2nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.