CVE-2026-25802 PUBLISHED

New API has Potential XSS in its MarkdownRenderer component

Assigner: GitHub_M
Reserved: 05.02.2026 Published: 24.02.2026 Updated: 24.02.2026

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component MarkdownRenderer.jsx, allowing for Cross-Site Scripting(XSS) when the model outputs items containing <script> tag. Version 0.10.8-alpha.9 fixes the issue.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L
CVSS Score: 7.6

Product Status

Vendor QuantumNous
Product new-api
Versions
  • Version < 0.10.8-alpha.9 is affected

References

Problem Types

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE