CVE-2026-6608

| EUVD-2026-23780 MEDIUM
2026-04-20 VulDB GHSA-f3q6-69f3-vwch
Information Disclosure Fastchat
5.5
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Apr 20, 2026 - 06:28 vuln.today
CVSS Changed
Apr 20, 2026 - 06:22 NVD
5.3 (MEDIUM) 5.5 (MEDIUM)

DescriptionNVD

A vulnerability was detected in lm-sys fastchat up to 0.2.36. Impacted is the function add_text of the component Arena Side-by-Side View Handler. The manipulation results in incorrect control flow. The attack can be launched remotely. The exploit is now public and may be used. The root cause was fixed in commit 34eca62 for gradio_block_arena_named.py, but three other files were missed.

AnalysisAI

Information disclosure in lm-sys FastChat up to version 0.2.36 allows remote unauthenticated attackers to manipulate the add_text function in the Arena Side-by-Side View Handler, resulting in incorrect control flow that exposes sensitive data. The vulnerability has publicly available exploit code and affects the web-based arena comparison interface. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-6608 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy