CVE-2026-25802

Published Feb 24, 2026

Last updated 3 months ago

CVSS high 7.6

Overview

Description: New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRenderer.jsx`, allowing for Cross-Site Scripting(XSS) when the model outputs items containing `<script>` tag. Version 0.10.8-alpha.9 fixes the issue.
Source: security-advisories@github.com
NVD status: Analyzed
Products: new_api

Risk scores

CVSS 3.1

Type: Primary
Base score: 5.4
Impact score: 2.7
Exploitability score: 2.3
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

security-advisories@github.com: CWE-79

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:newapi:new_api:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "1527E2D6-778C-4D31-99A9-A21DE4621B69",
            "versionEndExcluding": "0.10.8",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:newapi:new_api:0.10.8:alpha1:*:*:*:*:*:*",
            "matchCriteriaId": "92E4407B-5336-4C05-832E-AB226CB00D2E",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:newapi:new_api:0.10.8:alpha2:*:*:*:*:*:*",
            "matchCriteriaId": "0A0A79DD-86C8-464A-9CB8-85C1D3DF57EB",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:newapi:new_api:0.10.8:alpha3:*:*:*:*:*:*",
            "matchCriteriaId": "35F1C0B3-9CD8-4923-979D-A4BA24206E74",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:newapi:new_api:0.10.8:alpha4:*:*:*:*:*:*",
            "matchCriteriaId": "108FA4C3-126D-4441-AA01-759D5ECF8F96",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:newapi:new_api:0.10.8:alpha5:*:*:*:*:*:*",
            "matchCriteriaId": "4E268A4B-1BD9-46DF-8FA9-C69E7C886C06",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:newapi:new_api:0.10.8:alpha6:*:*:*:*:*:*",
            "matchCriteriaId": "BE947FCB-2C34-4E90-9ACB-BE488E8DF6AE",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:newapi:new_api:0.10.8:alpha7:*:*:*:*:*:*",
            "matchCriteriaId": "3631CF4F-5C43-4213-9E37-5E8A7E7C4423",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:newapi:new_api:0.10.8:alpha8:*:*:*:*:*:*",
            "matchCriteriaId": "F8F77CC8-1191-4EE7-9D70-1867B832441A",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References