Control Flow Vulnerability in lm-sys FastChat Product
CVE-2026-6608

6.9MEDIUM

Key Information:

Vendor: Lm-sys
Status: Fastchat
Vendor: CVE Published:; 20 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-6608?

A control flow vulnerability exists in the lm-sys FastChat application, specifically within the add_text function of the Arena Side-by-Side View Handler component, affecting all versions up to 0.2.36. This flaw allows remote attackers to manipulate the application, resulting in unexpected control flow. Although a fix has been applied to one file, other related files remain vulnerable, allowing for potential exploitation. Given the exploitation is now public, it's critical for users to be aware of the affected versions and apply any necessary updates.

Affected Version(s)

fastchat 0.2.0

fastchat 0.2.1

fastchat 0.2.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-6608 - Proof of Concept

References

https://vuldb.com/vuln/358243

vdb-entrytechnical-description

https://vuldb.com/vuln/358243/cti

signaturepermissions-required

https://vuldb.com/submit/792228

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 20, 2026
👾
Exploit known to exist
Apr 20, 2026
Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Apr 19, 2026

Credit

Eric-f (VulDB User)

CVE-2026-6608 Data

JSON

Lm-sys

Badges

What is CVE-2026-6608?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit