Skip to content

Commit 315f92d

Browse files
1 parent e451946 commit 315f92d

1 file changed

Lines changed: 35 additions & 6 deletions

File tree

advisories/unreviewed/2026/05/GHSA-2r69-qgv3-hr65/GHSA-2r69-qgv3-hr65.json renamed to advisories/github-reviewed/2026/05/GHSA-2r69-qgv3-hr65/GHSA-2r69-qgv3-hr65.json

Lines changed: 35 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,44 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-2r69-qgv3-hr65",
4-
"modified": "2026-05-18T21:31:51Z",
4+
"modified": "2026-05-29T20:00:00Z",
55
"published": "2026-05-18T21:31:51Z",
66
"aliases": [
77
"CVE-2026-45245"
88
],
9-
"details": "Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthiness. Attackers can place local or private-network URLs behind hoverable links to route authenticated requests through the daemon, potentially accessing sensitive internal endpoints when users interact with attacker-controlled content.",
9+
"summary": "Summarize's hover summary feature allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links",
10+
"details": "Summarize prior to 0.15.0 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthiness. Attackers can place local or private-network URLs behind hoverable links to route authenticated requests through the daemon, potentially accessing sensitive internal endpoints when users interact with attacker-controlled content.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N"
1415
},
1516
{
1617
"type": "CVSS_V4",
17-
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "npm",
25+
"name": "@steipete/summarize"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "0"
33+
},
34+
{
35+
"fixed": "0.15.1"
36+
}
37+
]
38+
}
39+
]
1840
}
1941
],
20-
"affected": [],
2142
"references": [
2243
{
2344
"type": "ADVISORY",
@@ -31,6 +52,14 @@
3152
"type": "WEB",
3253
"url": "https://github.com/steipete/summarize/commit/ecbb2c414255aa480a15d0d8b205224c14cfdbcb"
3354
},
55+
{
56+
"type": "PACKAGE",
57+
"url": "https://github.com/steipete/summarize"
58+
},
59+
{
60+
"type": "WEB",
61+
"url": "https://github.com/steipete/summarize/releases/tag/v0.15.1"
62+
},
3463
{
3564
"type": "WEB",
3665
"url": "https://github.com/steipete/summarize/releases/tag/v0.15.2"
@@ -45,8 +74,8 @@
4574
"CWE-918"
4675
],
4776
"severity": "MODERATE",
48-
"github_reviewed": false,
49-
"github_reviewed_at": null,
77+
"github_reviewed": true,
78+
"github_reviewed_at": "2026-05-29T20:00:00Z",
5079
"nvd_published_at": "2026-05-18T20:16:38Z"
5180
}
5281
}

0 commit comments

Comments
 (0)