What is the CVSS score of CVE-2026-25802?

CVE-2026-25802 has a CVSS 3.1 base score of 7.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of AI / ML are affected by CVE-2026-25802?

A HIGH severity vulnerability (CVE-2026-25802) affecting our LLM gateway and AI asset management system has been publicly disclosed with available exploits.. A patch is available.

Is there a public PoC exploit available for CVE-2026-25802?

Yes, a public proof-of-concept exploit is available for CVE-2026-25802. Prioritise patching immediately. EPSS: 0.0%.

AI / ML CVE-2026-25802

HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-02-24 security-advisories@github.com

GHSA-299v-8pq9-5gjq

XSS AI / ML New Api Suse

7.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 25, 2026 - 20:17 vuln.today

Public exploit code

Patch released

Feb 25, 2026 - 20:17 nvd

Patch available

CVE Published

Feb 24, 2026 - 01:16 nvd

HIGH 7.6

DescriptionNVD

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component MarkdownRenderer.jsx, allowing for Cross-Site Scripting(XSS) when the model outputs items containing <script> tag. Version 0.10.8-alpha.9 fixes the issue.

AnalysisAI

New API LLM gateway versions before 0.10.8-alpha.9 are vulnerable to stored cross-site scripting through the MarkdownRenderer component, which fails to sanitize script tags in model outputs. An authenticated attacker with user interaction can inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. …

RemediationAI

Within 24 hours: Assess all systems running the vulnerable API and document their criticality and data exposure. Within 7 days: Apply the available vendor patch to all affected production and non-production environments, starting with highest-risk systems. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-25802 vulnerability details – vuln.today

Back