CVE Catalog

CVE-2026-45243

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

9th percentile - higher than 9% of all known CVEs

Summary

A missing authorization vulnerability in Summarize prior to 0.15.1 in the content script window.postMessage bridge allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.

Risk Assessment

The risk involves unauthorized access to sensitive automation data, potentially leading to information disclosure, process manipulation, or privilege escalation within the browser environment.

Recommendation

Immediately update Summarize to version 0.15.1 or later, which includes a fix for the missing authorization in the window.postMessage bridge.

Original NVD description (English source)

Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS