CVE-2026-45243— Summarize < 0.15.1 Browser Extension Missing Authorization via Content Script
Possible ATT&CK Techniques 3AI
T1200 · Hardware Additions T1041 · Exfiltration Over C2 Channel T1059 · Command and Scripting InterpreterGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45243
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Summarize < 0.15.1 Browser Extension Missing Authorization via Content Script
Source: NVD (National Vulnerability Database)
Vulnerability Description
Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Summarize 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Summarize是Peter Steinberger个人开发者的一款支持多来源的快速摘要工具。 Summarize 0.15.1之前版本存在安全漏洞,该漏洞源于内容脚本window.postMessage桥接中的授权缺失问题,可能导致恶意页面执行自动化工件上的未授权操作。攻击者可以模拟带有伪造发送者标识符的运行时消息,列出、读取、创建、覆盖或删除受影响标签范围内的自动化工件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45243
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45243
请登录查看更多情报信息。
- https://github.com/steipete/summarize/pull/222issue-tracking
- https://nvd.nist.gov/vuln/detail/CVE-2026-45243
Same Patch Batch · steipete · 2026-05-18 · 5 CVEs total
| CVE-2026-45245 | 7.4 HIGH | Summarize < 0.15.1 Unauthorized Daemon Request via Untrusted Events |
| CVE-2026-45242 | 7.1 HIGH | Summarize < 0.15.1 Path Traversal via slidesDir Parameter |
| CVE-2026-45246 | 5.5 MEDIUM | Summarize < 0.15.1 Insecure File Permissions Information Disclosure |
| CVE-2026-45244 | 5.4 MEDIUM | Summarize < 0.15.1 Unapproved Browser Automation Execution |
IV. Related Vulnerabilities
Same product: summarize
- CVE-2026-45246
Summarize < 0.15.1 Insecure File Permissions Information Dis - CVE-2026-45245
Summarize < 0.15.1 Unauthorized Daemon Request via Untrusted - CVE-2026-45244
Summarize < 0.15.1 Unapproved Browser Automation Execution - CVE-2026-45242
Summarize < 0.15.1 Path Traversal via slidesDir Parameter - CVE-2026-45222
Summarize Insecure Daemon Configuration File Permissions
Same vendor: steipete
- CVE-2026-45246
Summarize < 0.15.1 Insecure File Permissions Information Dis - CVE-2026-45245
Summarize < 0.15.1 Unauthorized Daemon Request via Untrusted - CVE-2026-45244
Summarize < 0.15.1 Unapproved Browser Automation Execution - CVE-2026-45242
Summarize < 0.15.1 Path Traversal via slidesDir Parameter - CVE-2026-45222
Summarize Insecure Daemon Configuration File Permissions
Same weakness: CWE-862
- CVE-2026-33137
XWiki Platform has an Unauthenticated XAR Import via REST /w - CVE-2026-21836
HCL DominoIQ is affected by broken access control - CVE-2026-27405
WordPress WpBookingly plugin <= 1.2.9 - Broken Access Contro - CVE-2026-27424
WordPress Image Photo Gallery Final Tiles Grid plugin <= 3.6 - CVE-2026-45443
WordPress PDF for Elementor Forms + Drag And Drop Template B
V. Comments for CVE-2026-45243
No comments yet