CVE-2026-45243
MEDIUMSummarize < 0.15.1 Browser Extension Missing Authorization via Content Script
Title source: cnaDescription
Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.
References (4)
Core 4
Core References
Release Notes release-notes
https://github.com/steipete/summarize/releases/tag/v0.15.2
Issue Tracking issue-tracking
https://github.com/steipete/summarize/pull/222
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/summarize-browser-extension-missing-authorization-via-content-script
Scores
CVSS v3
6.1
EPSS
0.0019
EPSS Percentile
9.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (3)
steipete/summarize
< 0.15.1 (2 CPE variants)
steipete/summarize
0 - 0.15.0npm
steipete/summarize
357544063af535bd574752622f9eb94be33ee5fd
Published
May 18, 2026
Tracked Since
May 19, 2026