CVE-2026-45245
Authenticated Request Forgery via Hover Summary in Summarize Prior to 0.15.1
Publication date: 2026-05-18
Last updated on: 2026-05-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| steipete | summarize | to 0.15.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-940 | The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to make authenticated requests to internal or sensitive endpoints by exploiting synthetic mouseover events, potentially exposing sensitive internal data or systems.
Such unauthorized access to sensitive internal resources could lead to violations of data protection regulations like GDPR or HIPAA, which require strict controls over access to personal or sensitive data.
Because the vulnerability enables unauthorized internal network access through the extension, it may compromise confidentiality and integrity requirements mandated by these standards.
Can you explain this vulnerability to me?
This vulnerability exists in the hover summary feature of the Summarize extension prior to version 0.15.1. It allows malicious web pages to dispatch synthetic mouseover events on attacker-controlled links. As a result, the extension makes authenticated daemon requests using stored tokens without verifying whether these events are trustworthy.
Attackers can exploit this by placing local or private-network URLs behind hoverable links. When users interact with such attacker-controlled content, the extension routes authenticated requests through the daemon, potentially accessing sensitive internal endpoints.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive internal network resources. Because the extension sends authenticated requests without verifying event authenticity, attackers can trick the extension into making requests to local or private network URLs.
This could expose internal endpoints and sensitive information to attackers, potentially compromising the security of internal systems when users interact with malicious content.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves malicious pages dispatching synthetic mouseover events to trigger authenticated daemon requests via the summarize browser extension. Detection involves monitoring for unusual or unauthorized daemon requests originating from the extension, especially those targeting local or private network URLs.
Since the vulnerability exploits synthetic mouseover events and unauthorized requests to internal endpoints, you can detect suspicious activity by inspecting network traffic for requests made by the extension to localhost or private IP ranges.
- Use network monitoring tools (e.g., Wireshark, tcpdump) to filter traffic from the browser or daemon process and look for requests to private IP ranges such as 10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x, or localhost (127.0.0.1).
- On Linux/macOS, use commands like: sudo tcpdump -i any host 127.0.0.1 or net 192.168.0.0/16 to capture suspicious requests.
- Check browser extension logs or debug output (if available) for synthetic mouseover events or unauthorized summary requests.
Note that the vulnerability requires user interaction (hovering) and specific attacker-controlled content, so detection may require correlating user actions with network requests.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update the summarize extension to version 0.15.1 or later, which includes fixes that validate and reject synthetic hover events and block requests to localhost, private IP addresses, and non-HTTP(S) URLs.
- Upgrade the summarize extension to version 0.15.1 or newer.
- Ensure that the extension only processes trusted (non-synthetic) mouseover events.
- Block or restrict extension requests to local or private network URLs at the network or host firewall level if updating is not immediately possible.
These steps prevent attackers from exploiting the vulnerability by ensuring that only legitimate user interactions trigger summaries and that internal network resources are not accessed via the extension.