CVE-2026-45245: Hover Summary Feature Exposes Authenticated Requests

/HIGH /CVSS 7.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-918cwe-940
CVE-2026-45245: Hover Summary Feature Exposes Authenticated Requests

The National Vulnerability Database has detailed CVE-2026-45245, a high-severity vulnerability (CVSS 7.4) affecting the hover summary feature in a product prior to version 0.15.1. This flaw allows malicious web pages to dispatch synthetic mouseover events over attacker-controlled links. The extension then makes authenticated daemon requests using stored tokens without proper event trustworthiness verification.

This vulnerability, categorized under CWE-918 (Server-Side Request Forgery) and CWE-940 (Improper Neutralization of Leading Truncation Characters), essentially creates an authenticated Server-Side Request Forgery (SSRF). Attackers can embed local or private-network URLs behind these hoverable links. When a user interacts with attacker-controlled content, the daemon routes authenticated requests to internal endpoints, potentially exposing sensitive internal systems and data.

This isn’t just a theoretical bypass; it’s a direct route into an organization’s internal network if a user is tricked into hovering over a malicious link. The attacker doesn’t need to steal credentials; they leverage existing authenticated sessions, turning the user’s browser into a proxy for internal network reconnaissance and potential data exfiltration. This is a critical blind spot many defenders overlook.

What This Means For You

  • If your organization uses any software with a hover summary feature, especially if it handles authenticated daemon requests, you need to identify its version immediately. This vulnerability allows for authenticated SSRF, bypassing network segmentation by using the user's browser as a pivot point. Audit all web extensions and ensure they are updated to the latest versions. Assume any unpatched instance is a potential internal proxy for attackers.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1071.001 Web Protocols Command and Control T1567 Exfiltration Over Web Service Exfiltration

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-45245: Authenticated Daemon Request via Synthetic Mouseover

Sigma YAML — free preview 
title: CVE-2026-45245: Authenticated Daemon Request via Synthetic Mouseover
id: scw-2026-05-18-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-45245 by observing web server requests to the daemon API endpoint, originating from a malicious domain, which is indicative of synthetic mouseover events dispatching authenticated requests without proper verification.
author: SCW Feed Engine (AI-generated)
date: 2026-05-18
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45245/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/v1/daemon'
      referer|contains:
          - 'attacker.com'
      cs-method:
          - 'POST'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45245 SSRF Summarize prior to 0.15.1
CVE-2026-45245 Auth Bypass hover summary feature allows dispatching synthetic mouseover events over attacker-controlled links
CVE-2026-45245 Information Disclosure extension makes authenticated daemon requests using stored tokens without verifying event trustworthiness
CVE-2026-45245 SSRF attackers can place local or private-network URLs behind hoverable links to route authenticated requests through the daemon

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 18, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma