VYPR

Go modules package

github.com/quantumnous/new-api

pkg:golang/github.com/quantumnous/new-api

Vulnerabilities (7)

  • CVE-2026-42339HigMay 8, 2026
    affected <= 0.11.9-alpha.1

    New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 (CVE-2025-59146) and hardened in v0.9.6 (CVE-2025-62155) does not block the unspecified addres

  • CVE-2026-41432HigMay 8, 2026
    affected < 0.12.10fixed 0.12.10

    New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to th

  • CVE-2026-32879Mar 23, 2026
    affected >= 0.10.0, <= 0.11.9-alpha.1

    New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification withou

  • CVE-2026-30886Mar 23, 2026
    affected < 0.11.4-alpha.2fixed 0.11.4-alpha.2

    New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authentica

  • CVE-2026-25802Feb 24, 2026
    affected < 0.10.8-alpha.9fixed 0.10.8-alpha.9

    New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRenderer.jsx`, allowing for Cross-Site Scripting(XSS) when the model outputs items c

  • CVE-2026-25591Feb 24, 2026
    affected < 0.10.8-alpha.10fixed 0.10.8-alpha.10

    New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.10, a SQL LIKE wildcard injection vulnerability in the `/api/token/search` endpoint allows authenticated users to cause denial of service through

  • CVE-2025-62155HigNov 25, 2025
    affected < 0.9.6fixed 0.9.6

    New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.9.6, a recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur. Because the exi