Detections
Analytics

Validated Secret Detected

critical Web App Scanning Plugin ID 115118

Language:

Synopsis

Validated Secret Detected

Description

The scanner identified a hard-coded secret within the web application and validated that it is active and exploitable, allowing an attacker to authenticate to the associated service, access sensitive data, or perform unauthorized actions.

Secrets such as API keys, access tokens, and service credentials are often inadvertently exposed in client-side JavaScript, HTML comments, configuration files, or application responses.

Immediate action is required to revoke and rotate the exposed secret.

Solution

Remove the secret exposure by identifying the root cause of the issue (for example manual data insertion in the code, environment variables being bundled in front-end JavaScript). Rotate the secrets to avoid further reuse in case it has been previously retrieved by a malicious actor.

See Also

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Web_Page_Content_for_Information_Leakage

Plugin Details

Severity: Critical

ID: 115118

Type: remote

Published: 3/10/2026

Updated: 3/10/2026

Scan Template: api, basic, full, mcp, pci, scan

Risk Information

VPR

Risk Factor: High

Score: 7.5

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Critical

Base Score: 10

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVSS Score Source: Tenable

Reference Information