CVE-2026-25802

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-25802
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRenderer.jsx`, allowing for Cross-Site Scripting(XSS) when the model outputs items containing `<script>` tag. Version 0.10.8-alpha.9 fixes the issue.

7.6 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References
Link Resource
https://github.com/QuantumNous/new-api/commit/ab5456eb1049aa8a0f3e51f359907ec7fff38b4b Patch
https://github.com/QuantumNous/new-api/security/advisories/GHSA-299v-8pq9-5gjq Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:newapi:new_api:*:*:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha1:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha2:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha3:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha4:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha5:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha6:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha7:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha8:*:*:*:*:*:*
History

25 Feb 2026, 20:17

Type Values Removed Values Added
Summary
  • (es) Nueva API es una pasarela de modelo de lenguaje grande (LLM) y un sistema de gestión de activos de inteligencia artificial (IA). Antes de la versión 0.10.8-alpha.9, ocurre una operación potencialmente insegura en el componente `MarkdownRenderer.jsx`, permitiendo cross-site scripting (XSS) cuando el modelo genera elementos que contienen la etiqueta `
References () https://github.com/QuantumNous/new-api/commit/ab5456eb1049aa8a0f3e51f359907ec7fff38b4b - () https://github.com/QuantumNous/new-api/commit/ab5456eb1049aa8a0f3e51f359907ec7fff38b4b - Patch
References () https://github.com/QuantumNous/new-api/security/advisories/GHSA-299v-8pq9-5gjq - () https://github.com/QuantumNous/new-api/security/advisories/GHSA-299v-8pq9-5gjq - Exploit, Vendor Advisory
CPE cpe:2.3:a:newapi:new_api:0.10.8:alpha3:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha4:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha6:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha8:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha1:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha2:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha5:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:*:*:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha7:*:*:*:*:*:*
First Time Newapi
Newapi new Api

24 Feb 2026, 01:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-24 01:16

Updated : 2026-02-25 20:17

NVD link : CVE-2026-25802

Mitre link : CVE-2026-25802

CVE.ORG link : CVE-2026-25802

JSON object : View

Products Affected

newapi

  • new_api
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')