{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32138", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:19:36.546Z", "datePublished": "2026-03-12T18:32:15.489Z", "dateUpdated": "2026-03-12T20:46:51.699Z"}, "containers": {"cna": {"title": "NEXULEAN API Key Leak", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-798", "lang": "en", "description": "CWE-798: Use of Hard-coded Credentials", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Stalin-143/website/security/advisories/GHSA-r7cr-5wcx-x9wm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Stalin-143/website/security/advisories/GHSA-r7cr-5wcx-x9wm"}, {"name": "https://github.com/Stalin-143/website/releases/tag/v2.0.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/Stalin-143/website/releases/tag/v2.0.0"}], "affected": [{"vendor": "Stalin-143", "product": "website", "versions": [{"version": "< 2.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T18:32:15.489Z"}, "descriptions": [{"lang": "en", "value": "NEXULEAN is a cybersecurity portfolio & service platform for an Ethical Hacker, AI Enthusiast, and Penetration Tester. Prior to 2.0.0, a security vulnerability was identified where Firebase and Web3Forms API keys were exposed. An attacker could use these keys to interact with backend services without authentication, potentially leading to unauthorized access to application resources and user data. This vulnerability is fixed in 2.0.0."}], "source": {"advisory": "GHSA-r7cr-5wcx-x9wm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T20:38:48.823995Z", "id": "CVE-2026-32138", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:46:51.699Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32138", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T20:38:48.823995Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:38:56.285Z"}}], "cna": {"title": "NEXULEAN API Key Leak", "source": {"advisory": "GHSA-r7cr-5wcx-x9wm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Stalin-143", "product": "website", "versions": [{"status": "affected", "version": "< 2.0.0"}]}], "references": [{"url": "https://github.com/Stalin-143/website/security/advisories/GHSA-r7cr-5wcx-x9wm", "name": "https://github.com/Stalin-143/website/security/advisories/GHSA-r7cr-5wcx-x9wm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Stalin-143/website/releases/tag/v2.0.0", "name": "https://github.com/Stalin-143/website/releases/tag/v2.0.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NEXULEAN is a cybersecurity portfolio & service platform for an Ethical Hacker, AI Enthusiast, and Penetration Tester. Prior to 2.0.0, a security vulnerability was identified where Firebase and Web3Forms API keys were exposed. An attacker could use these keys to interact with backend services without authentication, potentially leading to unauthorized access to application resources and user data. This vulnerability is fixed in 2.0.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798: Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T18:32:15.489Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32138", "state": "PUBLISHED", "dateUpdated": "2026-03-12T20:46:51.699Z", "dateReserved": "2026-03-10T22:19:36.546Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T18:32:15.489Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NEXULEAN is a cybersecurity portfolio & service platform for an Ethical Hacker, AI Enthusiast, and Penetration Tester. Prior to 2.0.0, a security vulnerability was identified where Firebase and Web3Forms API keys were exposed. An attacker could use these keys to interact with backend services without authentication, potentially leading to unauthorized access to application resources and user data. This vulnerability is fixed in 2.0.0."}, {"lang": "es", "value": "NEXULEAN es una plataforma de cartera y servicios de ciberseguridad para un Hacker \u00c9tico, Entusiasta de la IA y Probador de Penetraci\u00f3n. Antes de la versi\u00f3n 2.0.0, se identific\u00f3 una vulnerabilidad de seguridad donde las claves API de Firebase y Web3Forms estaban expuestas. Un atacante podr\u00eda usar estas claves para interactuar con los servicios de backend sin autenticaci\u00f3n, lo que podr\u00eda llevar a un acceso no autorizado a los recursos de la aplicaci\u00f3n y a los datos del usuario. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 2.0.0."}], "id": "CVE-2026-32138", "lastModified": "2026-04-16T14:47:16.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-12T19:16:16.427", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Stalin-143/website/releases/tag/v2.0.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/Stalin-143/website/security/advisories/GHSA-r7cr-5wcx-x9wm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-798"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "website", "source": "cna", "vendor": "Stalin-143"}, "product": "website", "vendor": "stalin-143"}], "analysis": {"en": {"generated_at": "2026-03-18T14:53:42.381338+00:00", "value": {"mitigation_remediation": ["Upgrade to version 2.0.0 or later to remove exposed keys", "Verify that no API keys are present in configuration or code after the upgrade", "Harden backend services to require proper authentication before allowing access", "Monitor application logs for unauthorized access attempts"], "summary": {"action": "Upgrade", "impact": "Unauthorized API Access"}, "threat_synthesis": {"affected_systems": "The issue is present in the Stalin\u2011143 website project before version 2.0.0, which was released in the public GitHub repository. Any deployment using a pre\u20112.0.0 release is vulnerable. The affected components include Firebase services and Web3Forms integration points where API keys were inadvertently exposed.", "description_and_impact": "The vulnerability allows an attacker to obtain exposed Firebase and Web3Forms API keys due to improper handling of sensitive credentials. With these keys, an adversary can make unauthenticated requests to backend services, potentially accessing or modifying application resources and user data. This represents a significant breach of confidentiality and integrity and is classified as a high\u2011severity issue (CVSS 8.2).", "risk_and_exploitability": "The CVSS score of 8.2 indicates a high risk of successful exploitation. EPSS is below 1%, suggesting that active exploitation is currently rare, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector involves an attacker making direct HTTP or HTTPS requests to backend endpoints using the leaked keys, bypassing authentication, and accessing protected resources. The vulnerability is local to the web application\u2019s configuration; an attacker only needs to obtain the keys, which are publicly exposed in the repository."}}}}, "created": "2026-03-13T09:50:21.339308+00:00", "updated": "2026-03-23T09:55:04.182628+00:00", "vendors": ["stalin-143", "stalin-143$PRODUCT$website"]}