7.6

CVE-2026-25802

Exploit

New API has Potential XSS in its MarkdownRenderer component

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRenderer.jsx`, allowing for Cross-Site Scripting(XSS) when the model outputs items containing `<script>` tag. Version 0.10.8-alpha.9 fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NewapiNew Api Version < 0.10.8
NewapiNew Api Version0.10.8 Updatealpha1
NewapiNew Api Version0.10.8 Updatealpha2
NewapiNew Api Version0.10.8 Updatealpha3
NewapiNew Api Version0.10.8 Updatealpha4
NewapiNew Api Version0.10.8 Updatealpha5
NewapiNew Api Version0.10.8 Updatealpha6
NewapiNew Api Version0.10.8 Updatealpha7
NewapiNew Api Version0.10.8 Updatealpha8
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.22% 0.125
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com 7.6 2.3 4.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/QuantumNous/new-api/commit/ab5456eb1049aa8a0f3e51f359907ec7fff38b4b
Patch
https://github.com/QuantumNous/new-api/security/advisories/GHSA-299v-8pq9-5gjq
Vendor Advisory
Exploit