A SQL injection vulnerability exists in QuantumNous new-api versions up to 0.12.1. The vulnerability is located in the SearchUserTopUps and SearchAllTopUps functions within model/topup.go. An authenticated attacker with low privileges can exploit this remotely to manipulate database queries. The CVSS 4.0 score of 2.1 reflects limited impact scope, though the public availability of exploit information incr [truncated]
New API is an LLM gateway and AI asset management system. Prior to version 0.12.10, the Stripe webhook handler fails to properly validate webhook event authenticity, allowing unauthenticated attackers to forge webhook events and credit arbitrary quota to their accounts without payment. The vulnerability stems from insufficient verification of webhook signatures (CWE-345: Insufficient Verification of Data [truncated]
