CVE-2026-45243
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
A missing authorization vulnerability in Summarize prior to 0.15.1 in the content script window.postMessage bridge allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.
Risk Assessment
The risk involves unauthorized access to sensitive automation data, potentially leading to information disclosure, process manipulation, or privilege escalation within the browser environment.
Recommendation
Immediately update Summarize to version 0.15.1 or later, which includes a fix for the missing authorization in the window.postMessage bridge.
Original NVD description (English source)
Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.

