PatchSiren cyber security CVE debrief
CVE-2026-45245 steipete CVE debrief
A vulnerability in the Summarize browser extension (versions prior to 0.15.1) allows malicious web pages to trigger unauthorized authenticated requests to internal endpoints. The extension's hover summary feature processes synthetic mouseover events on attacker-controlled links without verifying event trustworthiness, causing the extension to dispatch authenticated daemon requests using stored tokens. Attackers can exploit this by placing local or private-network URLs behind hoverable elements, routing requests through the daemon to access sensitive internal resources when users interact with attacker-controlled content. The issue stems from insufficient input validation of event origins (CWE-918) and improper handling of untrusted events (CWE-940).
- Vendor
- steipete
- Product
- summarize
- CVSS
- MEDIUM 4.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-19
Who should care
Organizations using the Summarize browser extension; security teams monitoring for browser-based SSRF vectors; developers of browser extensions handling authenticated cross-origin requests
Technical summary
The vulnerability exists in the hover summary feature of the Summarize browser extension. When a user hovers over a link, the extension dispatches a request to a local daemon to generate a summary. The extension fails to validate that mouseover events are genuine user interactions rather than synthetic events dispatched by malicious JavaScript. An attacker-controlled page can programmatically trigger mouseover events on links pointing to internal URLs (localhost, private IP ranges), causing the extension to make authenticated requests to those endpoints using stored tokens. This effectively turns the extension into a request proxy for accessing sensitive internal services that would otherwise be unreachable from the internet.
Defensive priority
medium
Recommended defensive actions
- Update Summarize extension to version 0.15.1 or later
- Review browser extension permissions and disable hover preview features for untrusted sites if updates cannot be immediately applied
- Monitor network logs for unexpected authenticated requests to internal endpoints originating from browser extension contexts
- Implement network segmentation to restrict access to sensitive internal services from client workstations
Evidence notes
Official CVE record published 2026-05-18; NVD entry analyzed with CVSS 4.0 vector. Patch commit ecbb2c4 and release v0.15.2 issued by vendor. Third-party advisory from VulnCheck confirms exploitability via crafted mouseover events.
Official resources
-
CVE-2026-45245 CVE record
CVE.org
-
CVE-2026-45245 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
2026-05-18