diff --git a/patches/CVE-2026-32138.md b/patches/CVE-2026-32138.md
new file mode 100644
index 0000000..b01f31d
--- /dev/null
+++ b/patches/CVE-2026-32138.md
@@ -0,0 +1,28 @@
+![CVE](https://img.shields.io/badge/CVE-2026--32138-red)
+
+# CVE-2026-32138 — API Key Exposure (Nexulean Website)
+
+**Severity:** High  
+**CWE:** CWE-284, CWE-798  
+
+## Summary
+Exposed Firebase and Web3Forms API keys allowed unauthorized access to backend services.
+
+## Impact
+- Unauthorized database access  
+- Exposure of user data  
+- Abuse of third-party services  
+
+## Affected
+v1.0.0  
+
+## Fixed
+v2.0.0  
+
+## References
+- https://github.com/advisories/GHSA-r7cr-5wcx-x9wm  
+- https://github.com/Stalin-143/website/releases/tag/v2.0.0  
+
+## Credits
+Reporter: rootcrypt  
+Coordinator: Stalin-143