Total
3 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-25591 | 1 Newapi | 1 New Api | 2026-03-03 | N/A | 6.5 MEDIUM |
| New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.10, a SQL LIKE wildcard injection vulnerability in the `/api/token/search` endpoint allows authenticated users to cause denial of service through resource exhaustion by crafting malicious search patterns. The token search endpoint accepts user-supplied `keyword` and `token` parameters that are directly concatenated into SQL LIKE clauses without escaping wildcard characters (`%`, `_`). This allows attackers to inject patterns that trigger expensive database queries. Version 0.10.8-alpha.10 contains a patch. | |||||
| CVE-2026-25802 | 1 Newapi | 1 New Api | 2026-02-25 | N/A | 7.6 HIGH |
| New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRenderer.jsx`, allowing for Cross-Site Scripting(XSS) when the model outputs items containing `<script>` tag. Version 0.10.8-alpha.9 fixes the issue. | |||||
| CVE-2025-55573 | 1 Newapi | 1 New Api | 2025-09-15 | N/A | 8.8 HIGH |
| QuantumNous new-api v.0.8.5.2 is vulnerable to Cross Site Scripting (XSS). | |||||