Medium severity5.3NVD Advisory· Published Apr 20, 2026· Updated Apr 22, 2026

CVE-2026-6608

Description

A vulnerability was detected in lm-sys fastchat up to 0.2.36. Impacted is the function add_text of the component Arena Side-by-Side View Handler. The manipulation results in incorrect control flow. The attack can be launched remotely. The exploit is now public and may be used. The root cause was fixed in commit 34eca62 for gradio_block_arena_named.py, but three other files were missed.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
fschatPyPI	<= 0.2.36	—

Affected products

Lm Sys/Fastchatreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-f3q6-69f3-vwchghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-6608ghsaADVISORY
gist.github.com/YLChen-007/e45039d23e698222d887ee09735d9d36nvdWEB
github.com/lm-sys/FastChat/issues/3834nvdWEB
vuldb.com/submit/792228nvdWEB
vuldb.com/vuln/358243nvdWEB
vuldb.com/vuln/358243/ctinvdWEB

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000