Vulnerability-Lookup

CVE-2026-5128 (GCVE-0-2026-5128)

Vulnerability from cvelistv5 – Published: 2026-03-30 09:18 – Updated: 2026-03-31 12:38

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Show details on NVD website

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2026-03-31T12:38:28.035Z",
        "orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
        "shortName": "TuranSec"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
            }
          ],
          "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
    "assignerShortName": "TuranSec",
    "cveId": "CVE-2026-5128",
    "datePublished": "2026-03-30T09:18:05.381Z",
    "dateRejected": "2026-03-31T12:38:28.035Z",
    "dateReserved": "2026-03-30T09:09:01.638Z",
    "dateUpdated": "2026-03-31T12:38:28.035Z",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-5128\",\"sourceIdentifier\":\"309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c\",\"published\":\"2026-03-30T10:16:02.610\",\"lastModified\":\"2026-03-31T13:16:13.660\",\"vulnStatus\":\"Rejected\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\"}],\"metrics\":{},\"references\":[]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c\", \"shortName\": \"TuranSec\", \"dateUpdated\": \"2026-03-31T12:38:28.035Z\"}, \"rejectedReasons\": [{\"lang\": \"en\", \"value\": \"This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\"}]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-5128\", \"assignerOrgId\": \"309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c\", \"state\": \"REJECTED\", \"assignerShortName\": \"TuranSec\", \"dateReserved\": \"2026-03-30T09:09:01.638Z\", \"datePublished\": \"2026-03-30T09:18:05.381Z\", \"dateUpdated\": \"2026-03-31T12:38:28.035Z\", \"dateRejected\": \"2026-03-31T12:38:28.035Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-RGHM-P4MW-93H3

Vulnerability from github – Published: 2026-03-30 12:32 – Updated: 2026-03-31 15:31

Details

A sensitive information exposure vulnerability exists in ArthurFiorette steam-trader 2.1.1. An unauthenticated attacker can send a request to the /users API endpoint to retrieve highly sensitive Steam account data, including the account username, password, identity secret, and shared secret. In addition, application logs expose authentication artifacts such as access tokens, refresh tokens, and session identifiers. This information allows an attacker to generate valid Steam Guard (2FA) codes, hijack authenticated sessions, and obtain full control over the affected Steam account, including unauthorized access to inventory and trading functionality. No fix is available because the repository is archived and no longer maintained.

Severity ?

10.0 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10.0 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-5128"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-30T10:16:02Z",
    "severity": "CRITICAL"
  },
  "details": "A sensitive information exposure vulnerability exists in ArthurFiorette steam-trader 2.1.1. An unauthenticated attacker can send a request to the /users\u00a0API endpoint to retrieve highly sensitive Steam account data, including the account username, password, identity secret, and shared secret. In addition, application logs expose authentication artifacts such as access tokens, refresh tokens, and session identifiers. This information allows an attacker to generate valid Steam Guard (2FA) codes, hijack authenticated sessions, and obtain full control over the affected Steam account, including unauthorized access to inventory and trading functionality. No fix is available because the repository is archived and no longer maintained.",
  "id": "GHSA-rghm-p4mw-93h3",
  "modified": "2026-03-31T15:31:55Z",
  "published": "2026-03-30T12:32:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5128"
    },
    {
      "type": "WEB",
      "url": "https://github.com/arthurfiorette/steam-trader"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

FKIE_CVE-2026-5128

Vulnerability from fkie_nvd - Published: 2026-03-30 10:16 - Updated: 2026-03-31 13:16

Severity ?

Summary

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

References

	URL	Tags

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
    }
  ],
  "id": "CVE-2026-5128",
  "lastModified": "2026-03-31T13:16:13.660",
  "metrics": {},
  "published": "2026-03-30T10:16:02.610",
  "references": [],
  "sourceIdentifier": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
  "vulnStatus": "Rejected"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-5128 (GCVE-0-2026-5128)

GHSA-RGHM-P4MW-93H3

FKIE_CVE-2026-5128

Tags

Sightings

Nomenclature