New Api

3 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-25802 HIGH POC PATCH This Week

New API LLM gateway versions before 0.10.8-alpha.9 are vulnerable to stored cross-site scripting through the MarkdownRenderer component, which fails to sanitize script tags in model outputs. An authenticated attacker with user interaction can inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available.

XSS AI / ML New Api Suse
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-25591 MEDIUM POC PATCH This Month

Denial of service in New API's `/api/token/search` endpoint allows authenticated users to exhaust database resources through SQL wildcard injection in unescaped search parameters. An attacker can craft malicious search patterns that trigger expensive queries, causing service unavailability. Public exploit code exists for this medium-severity vulnerability affecting versions prior to 0.10.8-alpha.10.

Denial Of Service AI / ML New Api Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-55573 HIGH POC This Week

QuantumNous new-api v.0.8.5.2 is vulnerable to Cross Site Scripting (XSS). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS New Api
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-25802
EPSS 0% CVSS 7.6
HIGH POC PATCH This Week

New API LLM gateway versions before 0.10.8-alpha.9 are vulnerable to stored cross-site scripting through the MarkdownRenderer component, which fails to sanitize script tags in model outputs. An authenticated attacker with user interaction can inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available.

XSS AI / ML New Api +1
NVD GitHub
CVE-2026-25591
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Denial of service in New API's `/api/token/search` endpoint allows authenticated users to exhaust database resources through SQL wildcard injection in unescaped search parameters. An attacker can craft malicious search patterns that trigger expensive queries, causing service unavailability. Public exploit code exists for this medium-severity vulnerability affecting versions prior to 0.10.8-alpha.10.

Denial Of Service AI / ML New Api +1
NVD GitHub
CVE-2025-55573
EPSS 0% CVSS 8.8
HIGH POC This Week

QuantumNous new-api v.0.8.5.2 is vulnerable to Cross Site Scripting (XSS). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS New Api
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy