QwikSec

Security Database

CVE

CWE

Training

CVE-2026-45242

Published: May 18, 2026

Modified: May 18, 2026

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers to write files to arbitrary directories by supplying an absolute path or directory traversal sequence in the slidesDir request parameter. Attackers can exploit this to write slide_*.png and slides.json files to any writable directory and subsequently delete matching files at the specified location through repeat extraction.

Vendor	Product	Versions
steipete	summarize	affected `0 - < 0.15.1` unaffected `ec8efd63295656fbfe8743620179c489bc5a242f`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

References

https://github.com/steipete/summarize/releases/tag/v0.15.2

release-notes

https://github.com/steipete/summarize/pull/220

issue-tracking

https://github.com/steipete/summarize/commit/ec8efd63295656fbfe8743620179c489bc5a242f

patch

https://www.vulncheck.com/advisories/summarize-path-traversal-via-slidesdir-parameter

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.