High severityNVD Advisory· Published Feb 24, 2026· Updated Feb 26, 2026
New API has Potential XSS in its MarkdownRenderer component
CVE-2026-25802
Description
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component MarkdownRenderer.jsx, allowing for Cross-Site Scripting(XSS) when the model outputs items containing `` tag. Version 0.10.8-alpha.9 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/QuantumNous/new-apiGo | < 0.10.8-alpha.9 | 0.10.8-alpha.9 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/quantumnous/new-apipkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.10.8-alpha.9+ 1 more
- (no CPE)range: < 0.10.8-alpha.9
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
- Range: < 0.10.8-alpha.9
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-299v-8pq9-5gjqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25802ghsaADVISORY
- github.com/QuantumNous/new-api/commit/ab5456eb1049aa8a0f3e51f359907ec7fff38b4bghsax_refsource_MISCWEB
- github.com/QuantumNous/new-api/security/advisories/GHSA-299v-8pq9-5gjqghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2026-4532ghsaWEB
News mentions
0No linked articles in our index yet.