Vulnerability in Quantumnous New-api

CVE-2026-25591

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.10, a SQL LIKE wildcard injection vulnerability in the `/api/token/search` endpoint allows authenticated…

EPSS: 0.000 (6.6th percentile) — read the EPSS interpretation.

Affected products

Quantumnous New-api — versions < 0.10.8-alpha.10

Weakness classification (CWE)

CWE-943 — Improper Neutralization of Special Elements in Data Query Logic

References

https://github.com/QuantumNous/new-api/security/advisories/GHSA-w6x6-9fp7-fqm4 (x_refsource_CONFIRM)
https://github.com/QuantumNous/new-api/commit/3e1be18310f35d20742683ca9e4bf3bcafc173c5 (x_refsource_MISC)
https://github.com/QuantumNous/new-api/releases/tag/v0.10.8-alpha.10 (x_refsource_MISC)