Primary

Context

QuantumNous New-API Cross-Site Scripting Vulnerability

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in QuantumNous New-API version 0.8.5.2 and earlier. This vulnerability allows attackers to inject malicious scripts that can be executed in the context of the user's browser. The issue can affect any user within the system, including those with administrative privileges.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, navigate to the 'Console' feature and then to 'Playground'. Interact with the AI using default settings. Send a message containing XSS payload, which will trigger an error response. After enabling 'Show Debug', the XSS code execution can be observed. To escalate the impact, export the conversation containing the XSS payload and import it while logged in as an admin, which will result in compromising the admin account.

Added: Aug 22, 2025, 3:17 PM

Updated: Aug 22, 2025, 3:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

7.7

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

7.7

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

QuantumNous New-API Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating