VYPR
Vendor

CodexBar

Products
2
CVEs
12
Across products
12
Status
Private

Products

2

Recent CVEs

12
  • CVE-2026-53782HigJun 11, 2026
    risk 0.41cvss 7.4epss 0.00

    Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to direct the host to fetch transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, or other reserved destinations…

  • CVE-2026-45245HigMay 18, 2026
    risk 0.41cvss 7.4epss 0.00

    Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying…

  • CVE-2026-49135HigJun 1, 2026
    risk 0.39cvss 7.1epss 0.00

    CodexBar prior to 0.32.0 contains an insecure temporary file handling vulnerability that allows local attackers to access sensitive credentials or tamper with build artifacts by exploiting predictable file paths in the release notarization workflow. Attackers with access to the…

  • CVE-2026-49134HigJun 1, 2026
    risk 0.39cvss 7.1epss 0.00

    CodexBar prior to 0.32.0 contains a privilege escalation vulnerability in the CLI installer that allows local attackers to execute arbitrary commands as root by exploiting a race condition in temporary file handling. The installer creates a temporary file with mktemp, writes a…

  • CVE-2026-45242HigMay 18, 2026
    risk 0.39cvss 7.1epss 0.00

    Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers to write files to arbitrary directories by supplying an absolute path or directory traversal sequence in the slidesDir request parameter.…

  • CVE-2026-45243MedMay 18, 2026
    risk 0.33cvss 6.1epss 0.00

    Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender…

  • CVE-2026-45222MedMay 11, 2026
    risk 0.33cvss 6.1epss 0.00

    Summarize versions through 0.14.1, fixed in commit 0cfb0fb, creates the daemon configuration directory and file with default filesystem permissions that may be world-readable on Unix-like systems, allowing local attackers to read bearer tokens and API credentials stored in…

  • CVE-2026-43625MedJun 1, 2026
    risk 0.31cvss 5.9epss 0.00

    CodexBar prior to 0.32.0 contains a session cookie leakage vulnerability that allows network attackers to intercept imported browser session cookies by exploiting improper redirect handling for Amp and Ollama provider sessions. Attackers can position themselves on the network…

  • CVE-2026-45246MedMay 18, 2026
    risk 0.29cvss 5.5epss 0.00

    Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration…

  • CVE-2026-45244MedMay 18, 2026
    risk 0.28cvss 5.4epss 0.00

    Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or…

  • CVE-2026-49949MedJun 11, 2026
    risk 0.27cvss 5.3epss 0.00

    CodexBar before 0.33.0 contains a credential forwarding vulnerability that allows network-adjacent attackers to intercept sensitive credentials by issuing cross-origin or HTTP-downgrade redirects to the shared ProviderHTTPClient transport. Attackers can redirect credentialed…

  • CVE-2026-53781MedJun 11, 2026
    risk 0.21cvss 4.3epss 0.00

    Summarize before 0.17.0 contains a resource exhaustion vulnerability that allows remote attackers to cause disk exhaustion by serving media responses that bypass the enforced size limit through missing or misreported Content-Length headers, chunked transfer encoding, or failed…