CVE-2026-9305 - Vulnerability Details

Description

A weakness has been identified in QuantumNous new-api up to 0.12.1. The impacted element is the function SearchUserTopUps/SearchAllTopUps of the file model/topup.go of the component self Endpoint. This manipulation causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-05-23

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A failure to properly parameterize input in the SearchUserTopUps and SearchAllTopUps functions of the model/topup.go file in QuantumNous new‑api allows an attacker to inject arbitrary SQL code when the self endpoint is called. Because the vulnerability is exploitable from a remote client, an attacker could read, modify, or delete data stored in the backend database, leading to a compromise of data confidentiality and integrity and potentially causing a denial‑of‑service condition if critical tables are corrupted.

Affected Systems

QuantumNous new‑api versions up to and including 0.12.1 are affected. The vulnerability is present in the self endpoint of the new‑api component and does not appear to be limited to any particular deployment scenario beyond the presence of that endpoint.

Risk and Exploitability

The CVSS score of 5.3 indicates the issue has a moderate impact on security. EPSS information is not available, yet a public exploit has been released, showing that the weakness is actively used. The vulnerability is not listed in CISA KEV, but the combination of public exploits and remote trigger make it a realistic threat. An attacker does not need local access and can exercise arbitrary SQL commands against the database once the self endpoint is reachable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

QuantumNous

new-api

affected

Version	Status	Constraints
`0.12.0`	affected	—
`0.12.1`	affected	—

No data.

Vendor Product Confidence Versions

Quantumnous

New-api

95%

Version	Status	Scheme	Platform
`0.12.0`	affected	semver	—
`0.12.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade QuantumNous new‑api to a version released after 0.12.1 that contains the fix for the SQL injection in SearchAllTopUps.
Restrict access to the self endpoint so that only authenticated and authorized users can invoke it, and consider IP whitelisting if feasible.
Implement proper input validation or move to prepared statements and parameterized queries in the code that processes requests to the self endpoint, addressing the root cause identified by CWEs 74 and 89.
Monitor logs for suspicious SQL query patterns and block potential injection attempts if the upstream code cannot be modified immediately.

Generated by OpenCVE AI on May 23, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gist.github.com/YLChen-007/cf501d0a66c81298b2f97e854f3813db
https://vuldb.com/submit/812192
https://vuldb.com/submit/812195
https://vuldb.com/vuln/365252
https://vuldb.com/vuln/365252/cti

History

Sat, 23 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in QuantumNous new-api up to 0.12.1. The impacted element is the function SearchUserTopUps/SearchAllTopUps of the file model/topup.go of the component self Endpoint. This manipulation causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title		QuantumNous new-api self Endpoint topup.go SearchAllTopUps sql injection
First Time appeared		Quantumnous Quantumnous new-api
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:quantumnous:new-api::::::::
Vendors & Products		Quantumnous Quantumnous new-api
References		https://gist.github.com/YLChen-007/cf501d0a66c81298b2f97e854f3813db https://vuldb.com/submit/812192 https://vuldb.com/submit/812195 https://vuldb.com/vuln/365252 https://vuldb.com/vuln/365252/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Quantumnous New-api

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-23T14:30:10.103Z

Updated: 2026-05-23T14:30:10.103Z

Reserved: 2026-05-22T18:03:27.520Z

Link: CVE-2026-9305

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-23T15:30:20Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object