7.6

CVE-2026-25802

Exploit
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRenderer.jsx`, allowing for Cross-Site Scripting(XSS) when the model outputs items containing `<script>` tag. Version 0.10.8-alpha.9 fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NewapiNew Api Version < 0.10.8
NewapiNew Api Version0.10.8 Updatealpha1
NewapiNew Api Version0.10.8 Updatealpha2
NewapiNew Api Version0.10.8 Updatealpha3
NewapiNew Api Version0.10.8 Updatealpha4
NewapiNew Api Version0.10.8 Updatealpha5
NewapiNew Api Version0.10.8 Updatealpha6
NewapiNew Api Version0.10.8 Updatealpha7
NewapiNew Api Version0.10.8 Updatealpha8
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.03% 0.083
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com 7.6 2.3 4.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.