What is CVE-2026-6608?

CVE-2026-6608 is a medium-severity vulnerability in Lm-sys Fastchat, classified under Always-Incorrect Control Flow Implementation. CVSS score: 5.3/10. Published 2026-04-20.

How severe is CVE-2026-6608?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Vulnerability in Lm-sys Fastchat

CVE-2026-6608

A vulnerability was detected in lm-sys fastchat up to 0.2.36. Impacted is the function add_text of the component Arena Side-by-Side View Handler. The manipulation results in incorrect control flow. The attack can be launched remotely. The…

EPSS: 0.000 (15.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R.

Affected products

Lm-sys Fastchat — versions 0.2.0, 0.2.1, 0.2.2

Weakness classification (CWE)

CWE-670 — Always-Incorrect Control Flow Implementation

References

VDB-358243 | lm-sys fastchat Arena Side-by-Side View add_text control flow (vdb-entry, technical-description)
VDB-358243 | CTI Indicators (IOB, IOC, IOA) (signature, permissions-required)
Submit #792228 | LM-Sys FastChat <= 0.2.36 Content Moderation Bypass (CWE-670) (third-party-advisory)
github.com/lm-sys/FastChat/issues/3834 (issue-tracking)
gist.github.com/YLChen-007/e45039d23e698222d887ee09735d9d36 (exploit)
github.com/lm-sys/FastChat/ (product)

Frequently asked questions

What is CVE-2026-6608?: CVE-2026-6608 is a medium-severity vulnerability in Lm-sys Fastchat, classified under Always-Incorrect Control Flow Implementation. CVSS score: 5.3/10. Published 2026-04-20.
How severe is CVE-2026-6608?: Medium severity. CVSS v3 base score is 5.3 out of 10.