CVE-2026-45243
6.1 MEDIUMSummarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows mali...
Published: 2026-05-18 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 6.1 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- CWE
- CWE-862
Affected products
| Vendor | Product |
|---|---|
| steipete | summarize |
Description
Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45243
- [Patch]https://github.com/steipete/summarize/commit/357544063af535bd574752622f9eb94be33ee5fd
- [Patch]https://github.com/steipete/summarize/pull/222
- [Other]https://github.com/steipete/summarize/releases/tag/v0.15.2
- [Other]https://www.vulncheck.com/advisories/summarize-browser-extension-missing-authorization-via-content-script
Related CVEs
Same vendor
- CVE-2026-45246 — Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows l... (5.5 MEDIUM)
- CVE-2026-45245 — Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseov... (7.4 HIGH)
- CVE-2026-45244 — Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions with... (5.4 MEDIUM)
- CVE-2026-45242 — Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers ... (7.1 HIGH)
Same CWE
- CVE-2026-12105 — Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplicat...
- CVE-2026-53866 — OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators ... (8.1 HIGH)
- CVE-2026-53851 — OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite... (5.3 MEDIUM)
- CVE-2026-53850 — OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated caller... (5.5 MEDIUM)
- CVE-2026-53844 — OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated call... (6.5 MEDIUM)