CVE-2026-9306 QuantumNous new-api Midjourney Image Relay Endpoint relay-router.go GetByOnlyMJId authorization

A security vulnerability has been detected in QuantumNous new-api up to 0.12.1. This affects the function RelayMidjourneyImage/GetByOnlyMJId of the file router/relay-router.go of the component Midjourney Image Relay Endpoint. Such manipulation leads to authorization bypass. The attack can be...

New API SQL注入漏洞

The New API is an interface software developed by QuantumNous. Versions of the New API prior to 0.12.1 have a SQL injection vulnerability. This vulnerability originates from the SearchUserTopUps/SearchAllTopUps function in the model/topup.go file of the self Endpoint component, which may lead to...

GO-2026-4814 New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check in github.com/QuantumNous/new-api

New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check in github.com/QuantumNous/new-api...

GO-2026-4532 New API has Potential XSS in its MarkdownRenderer component in github.com/QuantumNous/new-api

New API has Potential XSS in its MarkdownRenderer component in github.com/QuantumNous/new-api...

New API 安全漏洞

The New API is an interface software developed by QuantumNous. Versions of the New API prior to 0.10.8-alpha.10 contained a security vulnerability. This vulnerability stems from SQL LIKE wildcard injections in the/api/token/search endpoint, which could lead to denial-of-service attacks through...