Cyber Resilience

CVE-2026-25802

HighPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L
EPSS Score 0.0001 2.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25802 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Newapi New Api. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25802 is a cross-site scripting (XSS) vulnerability (CWE-79) affecting New API, a large language model (LLM) gateway and artificial intelligence (AI) asset management system. The issue resides in the MarkdownRenderer.jsx component, where prior to version 0.10.8-alpha.9, unsafe operations allow execution of model outputs containing <script> tags. It carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L).

An attacker with low privileges can exploit this over the network with low complexity, requiring user interaction such as viewing maliciously crafted markdown from model output. Successful exploitation changes scope, enabling high integrity impact (e.g., script injection altering application behavior) with no confidentiality impact and low availability impact.

The GitHub security advisory (GHSA-299v-8pq9-5gjq) and fixing commit (ab5456eb1049aa8a0f3e51f359907ec7fff38b4b) confirm mitigation by upgrading to version 0.10.8-alpha.9, which addresses the unsafe rendering in MarkdownRenderer.jsx.

This vulnerability is notable for its relevance to AI systems, as it stems from untrusted LLM-generated content in an AI asset management gateway. No real-world exploitation has been reported.

EU & UK References

Vulnerability details

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRenderer.jsx`, allowing for Cross-Site Scripting(XSS) when the model outputs items containing `<script>` tag.…

more

Version 0.10.8-alpha.9 fixes the issue.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, artificial intelligence, llm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

XSS in web UI (MarkdownRenderer) directly enables arbitrary JavaScript execution from untrusted model output (T1059.007) and is exploitable as a public-facing web application vulnerability for initial access (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-41432Same product: Newapi New Api
CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79

Affected Assets

newapi
new api
0.10.8 · ≤ 0.10.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-15 requires filtering of output prior to rendering, directly preventing execution of malicious <script> tags in untrusted LLM-generated markdown by the MarkdownRenderer.jsx component.

prevent

SI-2 mandates identification and timely remediation of flaws, such as patching to version 0.10.8-alpha.9 to address the unsafe rendering operation in MarkdownRenderer.jsx.

prevent

SI-10 enforces validation of untrusted inputs like LLM outputs before processing in the renderer, mitigating injection of XSS payloads such as <script> tags.

References