Skip to main content

Summarize

8 CVEs product

Monthly

CVE-2026-53782 MEDIUM PATCH This Month

Server-side request forgery in steipete/Summarize before v0.17.0 enables an attacker who controls a podcast RSS feed to coerce the application into fetching transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, and other reserved destinations. The vulnerability is compounded by two bypass mechanisms: DNS rebinding (allowing an attacker to pass an initial hostname check then resolve to an internal target) and unvalidated redirect-following (where intermediate redirect targets are never re-screened). Exploitation exposes internal service responses through the summarization pipeline to the attacker. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified; a vendor patch is available as v0.17.0.

SSRF Summarize
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-53781 MEDIUM PATCH This Month

Disk exhaustion in Summarize CLI (all versions before 0.17.0) allows remote attackers who control a podcast feed or media URL to cause denial of service by circumventing the tool's enforced media download size limit. The size cap can be bypassed through missing or misreported Content-Length headers, chunked transfer encoding, or deliberately failed HEAD requests, causing the CLI's temp-file download path to stream an unbounded response directly to local storage. No active exploitation has been confirmed (not listed in CISA KEV), no public proof-of-concept has been identified, and EPSS data is unavailable; however, the zero authentication requirement on the attacker side and low attack complexity make this a credible threat for users who process untrusted or third-party feeds.

Denial Of Service Summarize
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-45246 MEDIUM PATCH This Month

Insecure file permission assignment in the @steipete/summarize CLI tool exposes configuration files containing API keys and provider credentials to other local users on shared Unix-like systems. All versions prior to 0.15.1 (CPE: cpe:2.3:a:steipete:summarize) are affected via a specific code path - the refresh-free configuration rewrite - that creates replacement config files using the process default umask rather than preserving original file permissions. No public exploit code exists and this is not listed in the CISA KEV catalog; however, the high-confidentiality CVSS signal (C:H) reflects the real sensitivity of what is exposed (API keys, provider credentials) when Summarize is used on multi-user Unix environments.

Information Disclosure Summarize
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-45245 npm MEDIUM PATCH This Month

Server-side request forgery in the Summarize browser extension prior to version 0.15.2 allows malicious web pages to coerce the extension's hover summary feature into issuing authenticated requests to local or private-network URLs via the user's daemon. The flaw stems from the extension processing synthetic mouseover events without verifying their trustworthiness, enabling attacker-controlled links to route authenticated daemon requests using stored tokens. No public exploit identified at time of analysis, but a vendor patch is available and the issue was reported by VulnCheck.

SSRF Summarize
NVD GitHub
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-45244 npm LOW PATCH Monitor

Missing authorization in the Summarize browser extension (versions prior to 0.15.1/0.15.2, CPE: cpe:2.3:a:steipete:summarize) allows remote unauthenticated attackers to execute browser automation actions - including navigation and debugger-backed operations - without triggering per-call user approval. Exploitation requires the extension automation feature to be enabled and the user to interact with attacker-controlled content (UI:R per CVSS), making this a prompt-injection-driven authorization bypass rather than a standalone remote attack. No public exploit has been identified at time of analysis, and the vendor released a patch in v0.15.2 as reported by VulnCheck.

Authentication Bypass Summarize
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-45242 npm HIGH PATCH GHSA This Week

Path traversal in steipete/summarize prior to 0.15.1 lets authenticated callers of the /v1/summarize daemon endpoint write slide_*.png and slides.json files to arbitrary directories by supplying an absolute path or traversal sequences in the slidesDir parameter, and subsequently delete matching files via repeat extraction. The flaw, reported by VulnCheck and patched in v0.15.2, enables file write and limited destructive impact across the filesystem; no public exploit identified at time of analysis.

Path Traversal Authentication Bypass Summarize
NVD GitHub
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-45243 npm MEDIUM PATCH This Month

Missing authorization in the Summarize browser extension's content script window.postMessage bridge permits any malicious web page to perform unauthorized CRUD operations on automation artifacts scoped to the affected browser tab. By injecting messages with spoofed sender identifiers, an attacker-controlled page bypasses all authorization checks - enabling it to list, read, create, overwrite, or delete extension-managed artifacts without user awareness. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the attack barrier is low: exploitation requires only that the victim passively visit a malicious page while the extension is active.

Authentication Bypass Summarize
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-45222 npm MEDIUM PATCH This Month

Summarize versions through 0.14.1 create daemon configuration files with world-readable permissions, allowing local attackers with user-level access to read bearer tokens and API credentials from ~/.summarize/daemon.json. The vulnerability enables unauthorized daemon access or recovery of sensitive provider API keys through insecure file permissions on Unix-like systems.

Authentication Bypass Summarize
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Server-side request forgery in steipete/Summarize before v0.17.0 enables an attacker who controls a podcast RSS feed to coerce the application into fetching transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, and other reserved destinations. The vulnerability is compounded by two bypass mechanisms: DNS rebinding (allowing an attacker to pass an initial hostname check then resolve to an internal target) and unvalidated redirect-following (where intermediate redirect targets are never re-screened). Exploitation exposes internal service responses through the summarization pipeline to the attacker. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified; a vendor patch is available as v0.17.0.

SSRF Summarize
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Disk exhaustion in Summarize CLI (all versions before 0.17.0) allows remote attackers who control a podcast feed or media URL to cause denial of service by circumventing the tool's enforced media download size limit. The size cap can be bypassed through missing or misreported Content-Length headers, chunked transfer encoding, or deliberately failed HEAD requests, causing the CLI's temp-file download path to stream an unbounded response directly to local storage. No active exploitation has been confirmed (not listed in CISA KEV), no public proof-of-concept has been identified, and EPSS data is unavailable; however, the zero authentication requirement on the attacker side and low attack complexity make this a credible threat for users who process untrusted or third-party feeds.

Denial Of Service Summarize
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Insecure file permission assignment in the @steipete/summarize CLI tool exposes configuration files containing API keys and provider credentials to other local users on shared Unix-like systems. All versions prior to 0.15.1 (CPE: cpe:2.3:a:steipete:summarize) are affected via a specific code path - the refresh-free configuration rewrite - that creates replacement config files using the process default umask rather than preserving original file permissions. No public exploit code exists and this is not listed in the CISA KEV catalog; however, the high-confidentiality CVSS signal (C:H) reflects the real sensitivity of what is exposed (API keys, provider credentials) when Summarize is used on multi-user Unix environments.

Information Disclosure Summarize
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Server-side request forgery in the Summarize browser extension prior to version 0.15.2 allows malicious web pages to coerce the extension's hover summary feature into issuing authenticated requests to local or private-network URLs via the user's daemon. The flaw stems from the extension processing synthetic mouseover events without verifying their trustworthiness, enabling attacker-controlled links to route authenticated daemon requests using stored tokens. No public exploit identified at time of analysis, but a vendor patch is available and the issue was reported by VulnCheck.

SSRF Summarize
NVD GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Missing authorization in the Summarize browser extension (versions prior to 0.15.1/0.15.2, CPE: cpe:2.3:a:steipete:summarize) allows remote unauthenticated attackers to execute browser automation actions - including navigation and debugger-backed operations - without triggering per-call user approval. Exploitation requires the extension automation feature to be enabled and the user to interact with attacker-controlled content (UI:R per CVSS), making this a prompt-injection-driven authorization bypass rather than a standalone remote attack. No public exploit has been identified at time of analysis, and the vendor released a patch in v0.15.2 as reported by VulnCheck.

Authentication Bypass Summarize
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Path traversal in steipete/summarize prior to 0.15.1 lets authenticated callers of the /v1/summarize daemon endpoint write slide_*.png and slides.json files to arbitrary directories by supplying an absolute path or traversal sequences in the slidesDir parameter, and subsequently delete matching files via repeat extraction. The flaw, reported by VulnCheck and patched in v0.15.2, enables file write and limited destructive impact across the filesystem; no public exploit identified at time of analysis.

Path Traversal Authentication Bypass Summarize
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Missing authorization in the Summarize browser extension's content script window.postMessage bridge permits any malicious web page to perform unauthorized CRUD operations on automation artifacts scoped to the affected browser tab. By injecting messages with spoofed sender identifiers, an attacker-controlled page bypasses all authorization checks - enabling it to list, read, create, overwrite, or delete extension-managed artifacts without user awareness. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the attack barrier is low: exploitation requires only that the victim passively visit a malicious page while the extension is active.

Authentication Bypass Summarize
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Summarize versions through 0.14.1 create daemon configuration files with world-readable permissions, allowing local attackers with user-level access to read bearer tokens and API credentials from ~/.summarize/daemon.json. The vulnerability enables unauthorized daemon access or recovery of sensitive provider API keys through insecure file permissions on Unix-like systems.

Authentication Bypass Summarize
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy