PatchSiren cyber security CVE debrief
CVE-2026-45242 steipete CVE debrief
CVE-2026-45242 is a path traversal vulnerability in Summarize, a software project by Steipete, affecting versions prior to 0.15.1. The vulnerability resides in the `/v1/summarize` daemon endpoint, where authenticated attackers can manipulate the `slidesDir` request parameter to specify absolute paths or directory traversal sequences. This allows arbitrary file write operations to any writable directory on the target system, specifically enabling the creation of `slide_*.png` and `slides.json` files at attacker-controlled locations. The vulnerability also permits deletion of matching files through repeated extraction operations. The issue was disclosed on May 18, 2026, and assigned a CVSS 4.0 score of 7.1 (HIGH severity). A patch was committed and released in version 0.15.2. The vulnerability is classified under CWE-862 (Missing Authorization) as a secondary weakness type. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- steipete
- Product
- summarize
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-19
Who should care
Organizations running Summarize daemon services prior to version 0.15.1, particularly those exposing the `/v1/summarize` endpoint to network-accessible interfaces. Security teams should prioritize patching if the service runs with elevated privileges or has write access to sensitive directories. Developers integrating Summarize should review input validation implementations.
Technical summary
The `/v1/summarize` endpoint in Summarize prior to 0.15.1 fails to properly sanitize the `slidesDir` parameter, enabling authenticated path traversal. Attackers can supply absolute paths (e.g., `/etc/cron.d/`) or traversal sequences (e.g., `../../../tmp/`) to redirect file operations outside intended directories. The endpoint writes presentation output files (`slide_*.png`, `slides.json`) to the attacker-specified location, with repeat requests deleting existing matching files. This creates integrity risks and potential for further system compromise if writable directories are used for configuration or executable storage. The vulnerability requires low privileges and no user interaction, with network accessibility making it remotely exploitable for authenticated attackers.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Summarize to version 0.15.1 or later (fixed in 0.15.2)
- Review and restrict access to the /v1/summarize daemon endpoint to authorized users only
- Implement input validation on the slidesDir parameter to reject absolute paths and directory traversal sequences
- Monitor file system for unexpected slide_*.png and slides.json files in non-standard directories
- Apply principle of least privilege to service accounts running the Summarize daemon
- Review application logs for suspicious slidesDir parameter values indicating exploitation attempts
Evidence notes
Vulnerability confirmed through NVD analysis with official patch commit and release notes available. Third-party advisory from VulnCheck provides additional technical context. CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and high integrity impact.
Official resources
-
CVE-2026-45242 CVE record
CVE.org
-
CVE-2026-45242 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
2026-05-18T19:16:28.240Z