CVE-2026-45243

Sažetak

Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.

Reference

https://github.com/steipete/summarize/commit/357544063af535bd574752622f9eb94be33ee5fd
https://github.com/steipete/summarize/pull/222
https://github.com/steipete/summarize/releases/tag/v0.15.2
https://www.vulncheck.com/advisories/summarize-browser-extension-missing-authorization-via-content-script

CVSS

Base:	6.1
Impact:	2.7
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	LOW	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Zadnje važnije ažuriranje

19-05-2026 - 01:34

Objavljeno

18-05-2026 - 19:16