cvedb.io
CVE-2026-25591
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2026-02-24T01:16:13.457 · Last modified 2026-06-17T10:24:54.910

Summary

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.10, a SQL LIKE wildcard injection vulnerability in the `/api/token/search` endpoint allows authenticated users to cause denial of service through resource exhaustion by crafting malicious search patterns. The token search endpoint accepts user-supplied `keyword` and `token` parameters that are directly concatenated into SQL LIKE clauses without escaping wildcard characters (`%`, `_`). This allows attackers to inject patterns that trigger expensive database queries. Version 0.10.8-alpha.10 contains a patch.

Affected products

newapi — new_api

Does this affect you?

Add your gear to cvedb and we'll alert you only when newapi ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.