Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRenderer.jsx`, allowing for Cross-Site Scripting(XSS) when the model outputs items containing `<script>` tag. Version 0.10.8-alpha.9 fixes the issue.
Published: 2026-02-24
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Upgrade
AI Analysis

Impact

The vulnerability exists in the MarkdownRenderer.jsx component of the QuantumNous new-api. An inadequate sanitization process allows an attacker to embed <script> tags in content generated by the language model, and when this content is rendered in a user’s browser the injected script can execute arbitrary JavaScript, creating a cross‑site scripting flaw as defined by CWE-79.

Affected Systems

QuantumNous new-api versions up to 0.10.8-alpha.8 are affected. The issue is resolved in version 0.10.8-alpha.9 and later.

Risk and Exploitability

The CVSS score of 7.6 indicates a high‑moderate risk. The EPSS score of less than 1% suggests that exploitation is unlikely under current conditions. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is remote: an attacker can craft model prompts that produce malicious HTML, which is then rendered in browsers that view the content.

Generated by OpenCVE AI on April 18, 2026 at 11:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the new-api to version 0.10.8-alpha.9 or newer.
  • Sanitize or escape all LLM output before rendering to remove <script> tags.
  • Disable the MarkdownRenderer feature or block rendering of script tags in the UI until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 11:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-299v-8pq9-5gjq New API has Potential XSS in its MarkdownRenderer component
History

Sat, 28 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Newapi
Newapi new Api
CPEs cpe:2.3:a:newapi:new_api:*:*:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha1:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha2:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha3:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha4:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha5:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha6:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha7:*:*:*:*:*:*
cpe:2.3:a:newapi:new_api:0.10.8:alpha8:*:*:*:*:*:*
Vendors & Products Newapi
Newapi new Api

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Quantumnous
Quantumnous new-api
Vendors & Products Quantumnous
Quantumnous new-api

Tue, 24 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Description New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRenderer.jsx`, allowing for Cross-Site Scripting(XSS) when the model outputs items containing `<script>` tag. Version 0.10.8-alpha.9 fixes the issue.
Title New API has Potential XSS in its MarkdownRenderer component
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L'}

Subscriptions

Newapi New Api
Quantumnous New-api
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:58:43.459Z

Reserved: 2026-02-05T19:58:01.641Z

Link: CVE-2026-25802

cve-icon Vulnrichment

Updated: 2026-02-26T14:58:34.000Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T01:16:14.927

Modified: 2026-02-25T20:17:51.200

Link: CVE-2026-25802

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:15:35Z

Weaknesses