Lucene search
K

5 matches found

CVE
CVE
added 2026/05/08 10:21 p.m.44 views

CVE-2026-41432

CVE-2026-41432 affects New API versions prior to 0.12.10. The Stripe webhook endpoint is exposed at /api/stripe/webhook and is vulnerable when StripeWebhookSecret is empty, enabling an unauthenticated attacker to forge webhook events and fraudulently credit quota. Root causes listed across source...

8.2CVSS5.9AI score0.00259EPSS
CVE
CVE
added 2026/03/23 7:18 p.m.29 views

CVE-2026-30886

The CVE-2026-30886 entry describes an Insecure Direct Object Reference (IDOR) in the video proxy endpoint GET /v1/videos/:task_id/content of the New API LLM gateway/AI asset manager. Before version 0.11.4-alpha.2, any authenticated user could access video content owned by others due to a missing ...

6.5CVSS5.8AI score0.00274EPSS
Web
CVE
CVE
added 2026/05/08 10:21 p.m.23 views

CVE-2026-42339

CVE-2026-42339 (New API: SSRF Filter Bypass via 0.0.0.0) Affects New API (LLM gateway) up to v0.11.9-alpha.1. The SSRF protection is incomplete: 0.0.0.0/8 is not checked, allowing a regular user with a valid API token to request multimodal endpoints (/v1/chat/completions, /v1/responses, /v1/messa...

7.1CVSS5.8AI score0.00258EPSS
Web
CVE
CVE
added 2026/02/24 12:41 a.m.14 views

CVE-2026-25591

Summary of CVE-2026-25591 (from connected advisory): A SQL LIKE wildcard injection in the authenticated endpoint /api/token/search allows crafted patterns to cause resource exhaustion and DoS by forcing expensive queries. The vulnerable code directly concatenates user-supplied keyword and token i...

7.1CVSS5.7AI score0.00499EPSS
Web
CVE
CVE
added 2026/02/24 12:42 a.m.14 views

CVE-2026-25802

CVE context: The connected GHSA advisory GHSA-299V-8PQ9-5GJQ documents a potential XSS in a new API’s MarkdownRenderer component. The vulnerable path is in MarkdownRenderer.jsx (lines 212–231) that uses dangerouslySetInnerHTML to render model-generated HTML. Impact: potential XSS if the model out...

7.6CVSS5.4AI score0.00222EPSS