Skip to main content

Summarize EUVDEUVD-2026-36308

| CVE-2026-53782 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-11 VulnCheck GHSA-3vx2-vqx8-jxfg
6.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.4 HIGH

Network SSRF via attacker-controlled RSS feed; scope change exposes internal services (C:H); requires user to process the malicious feed (UI:R); no integrity or availability impact demonstrated.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 11, 2026 - 20:21 vuln.today
Analysis Generated
Jun 11, 2026 - 20:21 vuln.today

DescriptionCVE.org

Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to direct the host to fetch transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, or other reserved destinations by supplying malicious podcast:transcript URL values. Attackers can bypass protections through DNS rebinding and redirect-based techniques, as redirect targets are not revalidated and hostnames are not resolved before request dispatch, exposing internal service responses through the summarization flow.

AnalysisAI

Server-side request forgery in steipete/Summarize before v0.17.0 enables an attacker who controls a podcast RSS feed to coerce the application into fetching transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, and other reserved destinations. The vulnerability is compounded by two bypass mechanisms: DNS rebinding (allowing an attacker to pass an initial hostname check then resolve to an internal target) and unvalidated redirect-following (where intermediate redirect targets are never re-screened). Exploitation exposes internal service responses through the summarization pipeline to the attacker. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified; a vendor patch is available as v0.17.0.

Technical ContextAI

The affected product is cpe:2.3:a:steipete:summarize:*:*:*:*:*:*:*:* in all releases before 0.17.0. Summarize is a CLI and Chrome-extension tool that fetches and summarizes content from various sources, including podcast RSS feeds that may reference external transcript URLs via the podcast:transcript namespace. CWE-918 (Server-Side Request Forgery) describes the root cause: user-supplied URLs are dispatched to the network without adequate validation that the resolved destination is a permitted external host. Two structural weaknesses amplify the base SSRF: first, hostnames are not resolved to their IP addresses before the request is dispatched, so allow/block-list checks based on hostnames or naive IP inspection can be bypassed by DNS rebinding (TTL-expiry rescheduling to an internal IP after the initial check passes); second, HTTP redirects are followed without revalidating the new destination URL against the same block-list rules, meaning an attacker can redirect through a legitimate intermediate host to an internal target.

RemediationAI

The primary remediation is upgrading to Summarize v0.17.0 or later, which contains the vendor-released patch addressing the SSRF root cause (https://github.com/steipete/summarize/releases/tag/v0.17.0; patch commit: https://github.com/steipete/summarize/commit/3c5522440c4833dde033e226baa39e6dda1dfc75). Until upgrade is possible, operators should restrict which podcast RSS feed sources Summarize is permitted to process - for example, by allowing only feeds from a curated allowlist of trusted publishers - which reduces the attacker's ability to inject malicious transcript URLs. As a network-level compensating control, deploying Summarize in a network segment with egress filtering that blocks requests to RFC 1918 ranges, loopback, and link-local addresses at the firewall layer will partially mitigate the SSRF impact, though this does not address DNS rebinding bypasses without also enforcing short DNS TTL policies or using a DNS resolver that rejects internal-resolving responses for external hostnames. Note that redirect-following cannot be safely mitigated at the network layer alone; the application-level fix in v0.17.0 is strongly preferred. VulnCheck advisory: https://www.vulncheck.com/advisories/summarize-ssrf-via-podcast-transcript-url-fetch.

Share

EUVD-2026-36308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy