New Api
Monthly
Authorization bypass in QuantumNous new-api versions up to 0.12.1 allows remote attackers to access Midjourney image relay endpoints without proper authentication. The vulnerability resides in RelayMidjourneyImage and GetByOnlyMJId functions within relay-router.go. Despite high attack complexity (CVSS AC:H) and CVSS score of only 3.7, a publicly available proof-of-concept exploit exists (disclosed via GitHub Gist), reducing the technical barrier. The vendor did not respond to early disclosure attempts. EPSS data not provided, but the combination of public exploit and unauthenticated network access (PR:N) warrants attention for organizations using this API gateway for Midjourney integration.
SQL injection in QuantumNous new-api versions up to 0.12.1 allows authenticated remote attackers to manipulate database queries through the SearchUserTopUps and SearchAllTopUps functions in the self endpoint. The vulnerability exists in model/topup.go with confirmed public exploit code available on GitHub. With EPSS data unavailable and CVSS 6.3 (medium severity), the primary risk stems from the low-complexity exploitation requiring only low-level authentication, enabling attackers to exfiltrate sensitive data, modify records, or potentially execute denial-of-service attacks against the database layer.
New API LLM gateway versions before 0.10.8-alpha.9 are vulnerable to stored cross-site scripting through the MarkdownRenderer component, which fails to sanitize script tags in model outputs. An authenticated attacker with user interaction can inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available.
Denial of service in New API's `/api/token/search` endpoint allows authenticated users to exhaust database resources through SQL wildcard injection in unescaped search parameters. An attacker can craft malicious search patterns that trigger expensive queries, causing service unavailability. Public exploit code exists for this medium-severity vulnerability affecting versions prior to 0.10.8-alpha.10.
QuantumNous new-api v.0.8.5.2 is vulnerable to Cross Site Scripting (XSS). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authorization bypass in QuantumNous new-api versions up to 0.12.1 allows remote attackers to access Midjourney image relay endpoints without proper authentication. The vulnerability resides in RelayMidjourneyImage and GetByOnlyMJId functions within relay-router.go. Despite high attack complexity (CVSS AC:H) and CVSS score of only 3.7, a publicly available proof-of-concept exploit exists (disclosed via GitHub Gist), reducing the technical barrier. The vendor did not respond to early disclosure attempts. EPSS data not provided, but the combination of public exploit and unauthenticated network access (PR:N) warrants attention for organizations using this API gateway for Midjourney integration.
SQL injection in QuantumNous new-api versions up to 0.12.1 allows authenticated remote attackers to manipulate database queries through the SearchUserTopUps and SearchAllTopUps functions in the self endpoint. The vulnerability exists in model/topup.go with confirmed public exploit code available on GitHub. With EPSS data unavailable and CVSS 6.3 (medium severity), the primary risk stems from the low-complexity exploitation requiring only low-level authentication, enabling attackers to exfiltrate sensitive data, modify records, or potentially execute denial-of-service attacks against the database layer.
New API LLM gateway versions before 0.10.8-alpha.9 are vulnerable to stored cross-site scripting through the MarkdownRenderer component, which fails to sanitize script tags in model outputs. An authenticated attacker with user interaction can inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available.
Denial of service in New API's `/api/token/search` endpoint allows authenticated users to exhaust database resources through SQL wildcard injection in unescaped search parameters. An attacker can craft malicious search patterns that trigger expensive queries, causing service unavailability. Public exploit code exists for this medium-severity vulnerability affecting versions prior to 0.10.8-alpha.10.
QuantumNous new-api v.0.8.5.2 is vulnerable to Cross Site Scripting (XSS). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.