CVE-2026-32138 (GCVE-0-2026-32138)
Vulnerability from cvelistv5 – Published: 2026-03-12 18:32 – Updated: 2026-03-12 20:46
VLAI?
Title
NEXULEAN API Key Leak
Summary
NEXULEAN is a cybersecurity portfolio & service platform for an Ethical Hacker, AI Enthusiast, and Penetration Tester. Prior to 2.0.0, a security vulnerability was identified where Firebase and Web3Forms API keys were exposed. An attacker could use these keys to interact with backend services without authentication, potentially leading to unauthorized access to application resources and user data. This vulnerability is fixed in 2.0.0.
Severity ?
8.2 (High)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Stalin-143 | website |
Affected:
< 2.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32138",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T20:38:48.823995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T20:46:51.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "website",
"vendor": "Stalin-143",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NEXULEAN is a cybersecurity portfolio \u0026 service platform for an Ethical Hacker, AI Enthusiast, and Penetration Tester. Prior to 2.0.0, a security vulnerability was identified where Firebase and Web3Forms API keys were exposed. An attacker could use these keys to interact with backend services without authentication, potentially leading to unauthorized access to application resources and user data. This vulnerability is fixed in 2.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T18:32:15.489Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Stalin-143/website/security/advisories/GHSA-r7cr-5wcx-x9wm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Stalin-143/website/security/advisories/GHSA-r7cr-5wcx-x9wm"
},
{
"name": "https://github.com/Stalin-143/website/releases/tag/v2.0.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Stalin-143/website/releases/tag/v2.0.0"
}
],
"source": {
"advisory": "GHSA-r7cr-5wcx-x9wm",
"discovery": "UNKNOWN"
},
"title": "NEXULEAN API Key Leak"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32138",
"datePublished": "2026-03-12T18:32:15.489Z",
"dateReserved": "2026-03-10T22:19:36.546Z",
"dateUpdated": "2026-03-12T20:46:51.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-32138",
"date": "2026-04-20",
"epss": "0.00074",
"percentile": "0.22228"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-32138\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-12T19:16:16.427\",\"lastModified\":\"2026-04-16T14:47:16.733\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"NEXULEAN is a cybersecurity portfolio \u0026 service platform for an Ethical Hacker, AI Enthusiast, and Penetration Tester. Prior to 2.0.0, a security vulnerability was identified where Firebase and Web3Forms API keys were exposed. An attacker could use these keys to interact with backend services without authentication, potentially leading to unauthorized access to application resources and user data. This vulnerability is fixed in 2.0.0.\"},{\"lang\":\"es\",\"value\":\"NEXULEAN es una plataforma de cartera y servicios de ciberseguridad para un Hacker \u00c9tico, Entusiasta de la IA y Probador de Penetraci\u00f3n. Antes de la versi\u00f3n 2.0.0, se identific\u00f3 una vulnerabilidad de seguridad donde las claves API de Firebase y Web3Forms estaban expuestas. Un atacante podr\u00eda usar estas claves para interactuar con los servicios de backend sin autenticaci\u00f3n, lo que podr\u00eda llevar a un acceso no autorizado a los recursos de la aplicaci\u00f3n y a los datos del usuario. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 2.0.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"},{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"references\":[{\"url\":\"https://github.com/Stalin-143/website/releases/tag/v2.0.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Stalin-143/website/security/advisories/GHSA-r7cr-5wcx-x9wm\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32138\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-12T20:38:48.823995Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-12T20:38:56.285Z\"}}], \"cna\": {\"title\": \"NEXULEAN API Key Leak\", \"source\": {\"advisory\": \"GHSA-r7cr-5wcx-x9wm\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Stalin-143\", \"product\": \"website\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/Stalin-143/website/security/advisories/GHSA-r7cr-5wcx-x9wm\", \"name\": \"https://github.com/Stalin-143/website/security/advisories/GHSA-r7cr-5wcx-x9wm\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Stalin-143/website/releases/tag/v2.0.0\", \"name\": \"https://github.com/Stalin-143/website/releases/tag/v2.0.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"NEXULEAN is a cybersecurity portfolio \u0026 service platform for an Ethical Hacker, AI Enthusiast, and Penetration Tester. Prior to 2.0.0, a security vulnerability was identified where Firebase and Web3Forms API keys were exposed. An attacker could use these keys to interact with backend services without authentication, potentially leading to unauthorized access to application resources and user data. This vulnerability is fixed in 2.0.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-798\", \"description\": \"CWE-798: Use of Hard-coded Credentials\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-12T18:32:15.489Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-32138\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-12T20:46:51.699Z\", \"dateReserved\": \"2026-03-10T22:19:36.546Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-12T18:32:15.489Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…