Go modules package
github.com/quantumnous/new-api
pkg:golang/github.com/quantumnous/new-api
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42339 | Hig | 7.1 | <= 0.11.9-alpha.1 | — | May 8, 2026 | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 (CVE-2025-59146) and hardened in v0.9.6 (CVE-2025-62155) does not block the unspecified addres | |
| CVE-2026-41432 | Hig | 7.1 | < 0.12.10 | 0.12.10 | May 8, 2026 | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to th | |
| CVE-2026-32879 | — | >= 0.10.0, <= 0.11.9-alpha.1 | — | Mar 23, 2026 | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification withou | ||
| CVE-2026-30886 | — | < 0.11.4-alpha.2 | 0.11.4-alpha.2 | Mar 23, 2026 | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authentica | ||
| CVE-2026-25802 | — | < 0.10.8-alpha.9 | 0.10.8-alpha.9 | Feb 24, 2026 | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRenderer.jsx`, allowing for Cross-Site Scripting(XSS) when the model outputs items c | ||
| CVE-2026-25591 | — | < 0.10.8-alpha.10 | 0.10.8-alpha.10 | Feb 24, 2026 | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.10, a SQL LIKE wildcard injection vulnerability in the `/api/token/search` endpoint allows authenticated users to cause denial of service through | ||
| CVE-2025-62155 | Hig | 8.5 | < 0.9.6 | 0.9.6 | Nov 25, 2025 | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.9.6, a recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur. Because the exi |
- affected <= 0.11.9-alpha.1
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 (CVE-2025-59146) and hardened in v0.9.6 (CVE-2025-62155) does not block the unspecified addres
- affected < 0.12.10fixed 0.12.10
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to th
- CVE-2026-32879Mar 23, 2026affected >= 0.10.0, <= 0.11.9-alpha.1
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification withou
- CVE-2026-30886Mar 23, 2026affected < 0.11.4-alpha.2fixed 0.11.4-alpha.2
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authentica
- CVE-2026-25802Feb 24, 2026affected < 0.10.8-alpha.9fixed 0.10.8-alpha.9
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRenderer.jsx`, allowing for Cross-Site Scripting(XSS) when the model outputs items c
- CVE-2026-25591Feb 24, 2026affected < 0.10.8-alpha.10fixed 0.10.8-alpha.10
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.10, a SQL LIKE wildcard injection vulnerability in the `/api/token/search` endpoint allows authenticated users to cause denial of service through
- affected < 0.9.6fixed 0.9.6
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.9.6, a recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur. Because the exi