26 matches found
CVE-2026-11465
A security flaw has been discovered in songquanpeng one-api up to 0.6.11-preview.7. Affected by this issue is the function Redeem of the file model/redemption.go of the component Redemption Code Top-Up Endpoint. The manipulation results in business logic errors. The attack may be launched remotel...
CVE-2026-11465
A security flaw has been discovered in songquanpeng one-api up to 0.6.11-preview.7. Affected by this issue is the function Redeem of the file model/redemption.go of the component Redemption Code Top-Up Endpoint. The manipulation results in business logic errors. The attack may be launched remotel...
CVE-2026-11465
CVE-2026-11465 affects songquanpeng’s one-api (up to 0.6.11-preview.7). The issue is in the Redemption Code Top-Up Endpoint, specifically the function Redeem in file model/redemption.go, where manipulation leads to business logic errors. Reported as exploitable remotely with high complexity and l...
CVE-2026-11465
A security flaw has been discovered in songquanpeng one-api up to 0.6.11-preview.7. Affected by this issue is the function Redeem of the file model/redemption.go of the component Redemption Code Top-Up Endpoint. The manipulation results in business logic errors. The attack may be launched remotel...
CVE-2026-11465 songquanpeng one-api Redemption Code Top-Up Endpoint redemption.go Redeem logic error
A security flaw has been discovered in songquanpeng one-api up to 0.6.11-preview.7. Affected by this issue is the function Redeem of the file model/redemption.go of the component Redemption Code Top-Up Endpoint. The manipulation results in business logic errors. The attack may be launched remotel...
GO-2025-4154 new-api is vulnerable to SSRF Bypass in one-api
new-api is vulnerable to SSRF Bypass in one-api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the repor...
EUVD-2025-11934
Malicious code in bioql PyPI...
CVE-2024-56516
free-one-api allows users to access large language model reverse engineering libraries through the standard OpenAI API format. In versions up to and including 1.0.1, MD5 is used to hash passwords before sending them to the backend. MD5 is a cryptographically broken hashing algorithm and is no...
Cross-Site Scripting (XSS)
github.com/songquanpeng/one-api is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper input validation and sanitization of the argument "Homepage Content/About System/Footer.", allows malicious content to be injected and executed in the user's browser...
CVE-2025-3801
A vulnerability was found in songquanpeng one-api up to 0.6.10. It has been classified as problematic. This affects an unknown part of the component System Setting Handler. The manipulation of the argument Homepage Content/About System/Footer leads to cross site scripting. It is possible to...
SUSE CVE-2025-3801
A vulnerability was found in songquanpeng one-api up to 0.6.10. It has been classified as problematic. This affects an unknown part of the component System Setting Handler. The manipulation of the argument Homepage Content/About System/Footer leads to cross site scripting. It is possible to...
GO-2025-3636 one-api Cross-site Scripting vulnerability in github.com/songquanpeng/one-api
one-api Cross-site Scripting vulnerability in github.com/songquanpeng/one-api...
one-api Cross-site Scripting vulnerability
A vulnerability was found in songquanpeng one-api up to 0.6.10. It has been classified as problematic. This affects an unknown part of the component System Setting Handler. The manipulation of the argument Homepage Content leads to cross site scripting. It is possible to initiate the attack...
GHSA-WVCX-J62Q-45QW one-api Cross-site Scripting vulnerability
A vulnerability was found in songquanpeng one-api up to 0.6.10. It has been classified as problematic. This affects an unknown part of the component System Setting Handler. The manipulation of the argument Homepage Content leads to cross site scripting. It is possible to initiate the attack...
CVE-2025-3801
A vulnerability was found in songquanpeng one-api up to 0.6.10. It has been classified as problematic. This affects an unknown part of the component System Setting Handler. The manipulation of the argument Homepage Content/About System/Footer leads to cross site scripting. It is possible to...
CVE-2025-3801 songquanpeng one-api System Setting cross site scripting
A vulnerability was found in songquanpeng one-api up to 0.6.10. It has been classified as problematic. This affects an unknown part of the component System Setting Handler. The manipulation of the argument Homepage Content/About System/Footer leads to cross site scripting. It is possible to...
CVE-2025-3801 songquanpeng one-api System Setting cross site scripting
A vulnerability was found in songquanpeng one-api up to 0.6.10. It has been classified as problematic. This affects an unknown part of the component System Setting Handler. The manipulation of the argument Homepage Content/About System/Footer leads to cross site scripting. It is possible to...
CVE-2025-3801
CVE-2025-3801 refers to a cross-site scripting vulnerability in github.com/songquanpeng/one-api up to version 0.6.10. The weakness is in the System Setting Handler where manipulating the arguments Homepage Content/About System/Footer can lead to XSS. The issue is exploitable remotely and, per lin...
One API 代码注入漏洞
One API is an LLM API management and distribution system for JustSong individual developers. A code injection vulnerability exists in One API version 0.6.10 and earlier, which stems from a cross-site scripting attack caused by the operation of the Homepage Content parameter in the System Settings...
PT-2025-17378 · Unknown · Songquanpeng One-Api
Name of the Vulnerable Software and Affected Versions: songquanpeng one-api versions up to 0.6.10 Description: A vulnerability was found in the System Setting Handler component, allowing for cross-site scripting through the manipulation of the Homepage Content argument. This issue can be exploite...