Skip to main content

Summarize EUVDEUVD-2026-30795

| CVE-2026-45245 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-18 VulnCheck GHSA-2r69-qgv3-hr65
4.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Severity Changed
May 18, 2026 - 20:22 NVD
HIGH MEDIUM
CVSS changed
May 18, 2026 - 20:22 NVD
7.4 (HIGH) 4.6 (MEDIUM)
Source Code Evidence Fetched
May 18, 2026 - 20:00 vuln.today
Analysis Generated
May 18, 2026 - 20:00 vuln.today

DescriptionCVE.org

Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthiness. Attackers can place local or private-network URLs behind hoverable links to route authenticated requests through the daemon, potentially accessing sensitive internal endpoints when users interact with attacker-controlled content.

AnalysisAI

Server-side request forgery in the Summarize browser extension prior to version 0.15.2 allows malicious web pages to coerce the extension's hover summary feature into issuing authenticated requests to local or private-network URLs via the user's daemon. The flaw stems from the extension processing synthetic mouseover events without verifying their trustworthiness, enabling attacker-controlled links to route authenticated daemon requests using stored tokens. No public exploit identified at time of analysis, but a vendor patch is available and the issue was reported by VulnCheck.

Technical ContextAI

Summarize is a browser extension (Chrome/Firefox) by developer steipete that provides AI-assisted page summarization and uses a local daemon process to handle authenticated requests with stored credentials. The vulnerability is classified as CWE-918 (Server-Side Request Forgery): the extension's hover-preview code path listens for mouseover DOM events to fetch summaries for hovered links, but it does not check the event's isTrusted property, allowing JavaScript on a malicious page to fire synthetic MouseEvent objects at attacker-chosen anchor elements. Because the daemon attaches stored authentication tokens to outbound fetches, the attacker can coerce the daemon into reaching arbitrary URLs - including loopback (127.0.0.1), link-local, and RFC1918 private-network endpoints - that are normally unreachable from the public web.

RemediationAI

Upgrade to the vendor-released patched version Summarize 0.15.2 by reinstalling the Chrome or Firefox extension from the v0.15.2 release bundle (dist-chrome/summarize-chrome-extension-v0.15.2.zip or dist-firefox/summarize-firefox-extension-v0.15.2.zip at https://github.com/steipete/summarize/releases/tag/v0.15.2) and updating the CLI via npm to @steipete/summarize@0.15.2; review the VulnCheck advisory at https://www.vulncheck.com/advisories/summarize-unauthorized-daemon-request-via-untrusted-events and the fix commit ecbb2c4 for verification. If immediate patching is not possible, compensating controls include disabling the hover summary feature in the extension settings (eliminates the trigger but removes a core UX feature), restricting the local daemon to bind only to 127.0.0.1 with a host-firewall rule that blocks the daemon process from reaching RFC1918 and link-local ranges (limits SSRF impact but may break legitimate internal integrations), or temporarily disabling the extension on untrusted browsing profiles. Audit daemon access logs for unexpected requests to internal IPs from the extension's user-agent.

Share

EUVD-2026-30795 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy