CVE-2026-25802
HIGH
GHSA-299v-8pq9-5gjq
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L
Lifecycle Timeline
4Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRenderer.jsx`, allowing for Cross-Site Scripting(XSS) when the model outputs items containing `<script>` tag. Version 0.10.8-alpha.9 fixes the issue.
Analysis
New API LLM gateway versions before 0.10.8-alpha.9 are vulnerable to stored cross-site scripting through the MarkdownRenderer component, which fails to sanitize script tags in model outputs. An authenticated attacker with user interaction can inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Assess all systems running the vulnerable API and document their criticality and data exposure. Within 7 days: Apply the available vendor patch to all affected production and non-production environments, starting with highest-risk systems. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today