SQL Injection Vulnerability in New API Gateway by QuantumNous
CVE-2026-25591

7.1HIGH

Key Information:

Vendor

Quantumnous

Status
New-api
Vendor
CVE Published:
24 February 2026

What is CVE-2026-25591?

The New API by QuantumNous has a vulnerability in the /api/token/search endpoint which allows authenticated users to exploit SQL LIKE wildcard injection. This is due to insufficient input validation, as user-supplied keyword and token parameters are directly concatenated into SQL LIKE queries without escaping wildcard characters, resulting in potential resource exhaustion and denial of service. A patch has been released in version 0.10.8-alpha.10 to address this issue.

Affected Version(s)

new-api < 0.10.8-alpha.10

References

https://github.com/QuantumNous/new-api/security/advisorie...
x_refsource_CONFIRM
https://github.com/QuantumNous/new-api/commit/3e1be18310f...
x_refsource_MISC
https://github.com/QuantumNous/new-api/releases/tag/v0.10...
x_refsource_MISC

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.