CVE-2026-45242

high

Description

Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers to write files to arbitrary directories by supplying an absolute path or directory traversal sequence in the slidesDir request parameter. Attackers can exploit this to write slide_*.png and slides.json files to any writable directory and subsequently delete matching files at the specified location through repeat extraction.

References

https://www.vulncheck.com/advisories/summarize-path-traversal-via-slidesdir-parameter

https://github.com/steipete/summarize/releases/tag/v0.15.2

https://github.com/steipete/summarize/pull/220

https://github.com/steipete/summarize/commit/ec8efd63295656fbfe8743620179c489bc5a242f

Details

Source: Mitre, NVD

Published: 2026-05-18

Updated: 2026-05-19

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:P

Severity: High

CVSS v3

Base Score: 7.1

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Severity: High

CVSS v4

Base Score: 7.1

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00066