All 8 CVE vulnerabilities found in new-api, with AI-generated Chinese analysis, references, and POCs.
Vendor: QuantumNous
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-42339 | New API: SSRF Filter Bypass via 0.0.0.0 CWE-918 | 8.1AI | HighAI | 2026-05-08 |
| CVE-2026-41432 | New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud CWE-345 | 7.1 | High | 2026-05-08 |
| CVE-2026-32879 | New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure CWE-287 | 4.9 | Medium | 2026-03-23 |
| CVE-2026-30886 | New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check CWE-639 | 6.5 | Medium | 2026-03-23 |
| CVE-2026-25802 | New API has Potential XSS in its MarkdownRenderer component CWE-79 | 7.6 | High | 2026-02-24 |
| CVE-2026-25591 | New API has an SQL LIKE Wildcard Injection DoS via Token Search CWE-943 | 6.5AI | MediumAI | 2026-02-24 |
| CVE-2025-62155 | QuantumNous New API Has SSRF Bypass CWE-918 | 8.5 | High | 2025-11-24 |
| CVE-2025-59146 | New API has Authenticated Server-Side Request Forgery (SSRF) issue CWE-918 | 8.5 | High | 2025-10-09 |
All 8 known CVE vulnerabilities affecting new-api with full Chinese analysis, references, and POCs where available.