Home

Description

Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.

PUBLISHED Reserved 2026-05-11 | Published 2026-05-18 | Updated 2026-05-19 | Assigner VulnCheck




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Missing Authorization

Product status

Default status
affected

Any version before 0.15.1
affected

357544063af535bd574752622f9eb94be33ee5fd (git)
unaffected

Credits

Chia Min Jun Lennon finder

References

github.com/steipete/summarize/releases/tag/v0.15.2 release-notes

github.com/steipete/summarize/pull/222 issue-tracking

github.com/...ommit/357544063af535bd574752622f9eb94be33ee5fd patch

www.vulncheck.com/...issing-authorization-via-content-script third-party-advisory

cve.org (CVE-2026-45243)

nvd.nist.gov (CVE-2026-45243)

Download JSON