CVE-2026-53782
HighCVSS 7.4Exploitation Probability (EPSS)
Low risk10th percentile - higher than 10% of all known CVEs
Summary
The vulnerability in Summarize before version 0.17.0 allows attackers controlling a podcast RSS feed to direct the host to fetch transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, or other reserved destinations by supplying malicious podcast:transcript URL values.
Risk Assessment
Attackers can bypass protections through DNS rebinding and redirect-based techniques, exposing internal service responses through the summarization flow.
Recommendation
It is recommended to upgrade to the latest version of Summarize to eliminate this vulnerability and implement additional security measures to mitigate SSRF attacks.
Original NVD description (English source)
Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to direct the host to fetch transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, or other reserved destinations by supplying malicious podcast:transcript URL values. Attackers can bypass protections through DNS rebinding and redirect-based techniques, as redirect targets are not revalidated and hostnames are not resolved before request dispatch, exposing internal service responses through the summarization flow.

