New Api Security Vulnerabilities and Issues — New Api CVE List

NewapiNew Api

7 matches found

CVE•added 2026/05/08 10:21 p.m.•36 views

CVE-2026-41432

CVE-2026-41432 affects New API versions prior to 0.12.10. The Stripe webhook endpoint is exposed at /api/stripe/webhook and is vulnerable when StripeWebhookSecret is empty, enabling an unauthenticated attacker to forge webhook events and fraudulently credit quota. Root causes listed across source...

8.2CVSS5.9AI score0.00259EPSS

CVE•added 2026/03/23 7:18 p.m.•27 views

CVE-2026-30886

The CVE-2026-30886 entry describes an Insecure Direct Object Reference (IDOR) in the video proxy endpoint GET /v1/videos/:task_id/content of the New API LLM gateway/AI asset manager. Before version 0.11.4-alpha.2, any authenticated user could access video content owned by others due to a missing ...

6.5CVSS5.8AI score0.00274EPSS

Web

CVE•added 2026/05/08 10:21 p.m.•23 views

CVE-2026-42339

CVE-2026-42339 (New API: SSRF Filter Bypass via 0.0.0.0) Affects New API (LLM gateway) up to v0.11.9-alpha.1. The SSRF protection is incomplete: 0.0.0.0/8 is not checked, allowing a regular user with a valid API token to request multimodal endpoints (/v1/chat/completions, /v1/responses, /v1/messa...

7.1CVSS5.8AI score0.00258EPSS

Web

CVE•added 2026/03/23 7:24 p.m.•18 views

CVE-2026-32879

CVE-2026-32879 affects New API (LLM gateway/AI asset management). Beginning with version 0.10.0, a logic flaw in the universal secure verification flow lets an authenticated user with a registered passkey satisfy secure verification without completing a WebAuthn assertion. Exploitation status is ...

4.9CVSS5.8AI score0.00289EPSS

CVE•added 2025/08/22 12:0 a.m.•16 views

CVE-2025-55573

CVE-2025-55573 affects QuantumNous new-api v0.8.5.2. The vulnerability is Cross-Site Scripting (XSS). CVSSv3.1 base score 8.8 (HIGH) with NETWORK attack vector, LOW complexity, no privileges, user interaction required; impact on confidentiality, integrity, and availability all HIGH. Public techni...

8.8CVSS6.2AI score0.00392EPSS

CVE•added 2026/02/24 12:42 a.m.•13 views

CVE-2026-25802

CVE context: The connected GHSA advisory GHSA-299V-8PQ9-5GJQ documents a potential XSS in a new API’s MarkdownRenderer component. The vulnerable path is in MarkdownRenderer.jsx (lines 212–231) that uses dangerouslySetInnerHTML to render model-generated HTML. Impact: potential XSS if the model out...

7.6CVSS5.4AI score0.00222EPSS

CVE•added 2026/02/24 12:41 a.m.•12 views

CVE-2026-25591

Summary of CVE-2026-25591 (from connected advisory): A SQL LIKE wildcard injection in the authenticated endpoint /api/token/search allows crafted patterns to cause resource exhaustion and DoS by forcing expensive queries. The vulnerable code directly concatenates user-supplied keyword and token i...

7.1CVSS5.7AI score0.00499EPSS

Web