CISA-2026-25591
Reported by GitHub_M · Published February 24, 2026
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.10, a SQL LIKE wildcard injection vulnerability in the `/api/token/search` endpoint allows authenticated users to cause denial of service through resource exhaustion by crafting malicious search patterns. The token search endpoint accepts user-supplied `keyword` and `token` parameters that are directly concatenated into SQL LIKE clauses without escaping wildcard characters (`%`, `_`). This allows attackers to inject patterns that trigger expensive database queries. Version 0.10.8-alpha.10 contains a patch.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| QuantumNous | new-api | < 0.10.8-alpha.10 |
| QuantumNous | new-api | < 0.10.8-alpha.10, < 0.10.8-alpha.10 |
Timeline
- Feb 24, 2026 CVE Published
- Feb 26, 2026 CVE Updated