Critical impact. If this is found on your site, treat it as urgent. It can lead to real damage and is worth fixing before anything else.
What it is
Template-driven checks for thousands of named CVEs, default credentials, exposures, and misconfigurations.
How attackers abuse it
A secret (API key, token, password) is exposed in your front-end code or responses. Anyone can read it and use it as you: charge cards, drain an AI budget, or read your database.
Attacker playbook
- 1Open the site's public JavaScript and search for key patterns and high-entropy strings.
- 2Pull out any secret key found in the client code.
- 3Use it directly against the provider's API, on your account.
How VibeSec detects and confirms it
VibeSec tests for this with an active scan, which runs only on targets you confirm you own or are authorized to test. We detect and confirm it using Nuclei and OWASP ZAP. When a payload actually proves the issue, it is reported as a confirmed finding rather than a guess.
If this is in your report: how to fix it
- Rotate the exposed secret immediately and assume it is compromised.
- Move secrets to server-side environment variables; never ship them to the browser.
- Call third-party APIs from your server, and re-scan to confirm the key is gone.
Check your site for this
Run a scan and see whether this affects you, in plain language with copy-paste fixes.
Scan your site for free