QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-25591

Back to search

CVE-2026-25591

Published: Feb 24, 2026

Modified: Feb 26, 2026

PUBLISHED

Description

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.10, a SQL LIKE wildcard injection vulnerability in the `/api/token/search` endpoint allows authenticated users to cause denial of service through resource exhaustion by crafting malicious search patterns. The token search endpoint accepts user-supplied `keyword` and `token` parameters that are directly concatenated into SQL LIKE clauses without escaping wildcard characters (`%`, `_`). This allows attackers to inject patterns that trigger expensive database queries. Version 0.10.8-alpha.10 contains a patch.

VendorProductVersions

QuantumNous

new-api

affected
< 0.10.8-alpha.10

Weaknesses (CWE)

CWE-943

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now