CVE-2026-25802

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25802

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25802.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25802

Aliases

Downstream

SUSE-SU-2026:0757-1

Related

SUSE-SU-2026:0757-1

Published

2026-02-24T00:42:45.515Z

Modified

2026-04-02T13:18:10.828010Z

Severity

7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L CVSS Calculator

Summary

New API has Potential XSS in its MarkdownRenderer component

Details

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component MarkdownRenderer.jsx, allowing for Cross-Site Scripting(XSS) when the model outputs items containing <script> tag. Version 0.10.8-alpha.9 fixes the issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25802.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/quantumnous/new-api

Affected ranges

Type: GIT
Repo: https://github.com/quantumnous/new-api
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

96f9ff19dfbf3704f444073b2f62e17530aa5cad

Affected versions

v0.*

v0.6.0.5

v0.8.8.0-alpha.10

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25802.json"