You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: advisories/github-reviewed/2026/05/GHSA-2r69-qgv3-hr65/GHSA-2r69-qgv3-hr65.json
+35-6Lines changed: 35 additions & 6 deletions
Original file line number
Diff line number
Diff line change
@@ -1,23 +1,44 @@
1
1
{
2
2
"schema_version": "1.4.0",
3
3
"id": "GHSA-2r69-qgv3-hr65",
4
-
"modified": "2026-05-18T21:31:51Z",
4
+
"modified": "2026-05-29T20:00:00Z",
5
5
"published": "2026-05-18T21:31:51Z",
6
6
"aliases": [
7
7
"CVE-2026-45245"
8
8
],
9
-
"details": "Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthiness. Attackers can place local or private-network URLs behind hoverable links to route authenticated requests through the daemon, potentially accessing sensitive internal endpoints when users interact with attacker-controlled content.",
9
+
"summary": "Summarize's hover summary feature allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links",
10
+
"details": "Summarize prior to 0.15.0 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthiness. Attackers can place local or private-network URLs behind hoverable links to route authenticated requests through the daemon, potentially accessing sensitive internal endpoints when users interact with attacker-controlled content.",
0 commit comments