VYPR
High severityNVD Advisory· Published Feb 24, 2026· Updated Feb 26, 2026

New API has an SQL LIKE Wildcard Injection DoS via Token Search

CVE-2026-25591

Description

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.10, a SQL LIKE wildcard injection vulnerability in the /api/token/search endpoint allows authenticated users to cause denial of service through resource exhaustion by crafting malicious search patterns. The token search endpoint accepts user-supplied keyword and token parameters that are directly concatenated into SQL LIKE clauses without escaping wildcard characters (%, _). This allows attackers to inject patterns that trigger expensive database queries. Version 0.10.8-alpha.10 contains a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/QuantumNous/new-apiGo
< 0.10.8-alpha.100.10.8-alpha.10

Affected products

3

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.