CVE-2026-45242
7.1 HIGHSummarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers ...
Published: 2026-05-18 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 7.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
- CWE
- CWE-862
Affected products
| Vendor | Product |
|---|---|
| steipete | summarize |
Description
Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers to write files to arbitrary directories by supplying an absolute path or directory traversal sequence in the slidesDir request parameter. Attackers can exploit this to write slide_*.png and slides.json files to any writable directory and subsequently delete matching files at the specified location through repeat extraction.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45242
- [Patch]https://github.com/steipete/summarize/commit/ec8efd63295656fbfe8743620179c489bc5a242f
- [Patch]https://github.com/steipete/summarize/pull/220
- [Other]https://github.com/steipete/summarize/releases/tag/v0.15.2
- [Other]https://www.vulncheck.com/advisories/summarize-path-traversal-via-slidesdir-parameter
- [Patch]https://github.com/steipete/summarize/pull/220
Related CVEs
Same vendor
- CVE-2026-45246 — Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows l... (5.5 MEDIUM)
- CVE-2026-45245 — Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseov... (7.4 HIGH)
- CVE-2026-45244 — Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions with... (5.4 MEDIUM)
- CVE-2026-45243 — Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows mali... (6.1 MEDIUM)
Same CWE
- CVE-2026-12105 — Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplicat...
- CVE-2026-53866 — OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators ... (8.1 HIGH)
- CVE-2026-53851 — OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite... (5.3 MEDIUM)
- CVE-2026-53850 — OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated caller... (5.5 MEDIUM)
- CVE-2026-53844 — OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated call... (6.5 MEDIUM)