CVE-2026-25802
Published: 24 February 2026
Summary
CVE-2026-25802 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Newapi New Api. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25802 is a cross-site scripting (XSS) vulnerability (CWE-79) affecting New API, a large language model (LLM) gateway and artificial intelligence (AI) asset management system. The issue resides in the MarkdownRenderer.jsx component, where prior to version 0.10.8-alpha.9, unsafe operations allow execution of model outputs containing <script> tags. It carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L).
An attacker with low privileges can exploit this over the network with low complexity, requiring user interaction such as viewing maliciously crafted markdown from model output. Successful exploitation changes scope, enabling high integrity impact (e.g., script injection altering application behavior) with no confidentiality impact and low availability impact.
The GitHub security advisory (GHSA-299v-8pq9-5gjq) and fixing commit (ab5456eb1049aa8a0f3e51f359907ec7fff38b4b) confirm mitigation by upgrading to version 0.10.8-alpha.9, which addresses the unsafe rendering in MarkdownRenderer.jsx.
This vulnerability is notable for its relevance to AI systems, as it stems from untrusted LLM-generated content in an AI asset management gateway. No real-world exploitation has been reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7452
Vulnerability details
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.10.8-alpha.9, a potential unsafe operation occurs in component `MarkdownRenderer.jsx`, allowing for Cross-Site Scripting(XSS) when the model outputs items containing `<script>` tag.…
more
Version 0.10.8-alpha.9 fixes the issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, artificial intelligence, llm
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in web UI (MarkdownRenderer) directly enables arbitrary JavaScript execution from untrusted model output (T1059.007) and is exploitable as a public-facing web application vulnerability for initial access (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering of output prior to rendering, directly preventing execution of malicious <script> tags in untrusted LLM-generated markdown by the MarkdownRenderer.jsx component.
SI-2 mandates identification and timely remediation of flaws, such as patching to version 0.10.8-alpha.9 to address the unsafe rendering operation in MarkdownRenderer.jsx.
SI-10 enforces validation of untrusted inputs like LLM outputs before processing in the renderer, mitigating injection of XSS payloads such as <script> tags.