AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-6608: A vulnerability was detected in lm-sys fastchat up to 0.2.36. Impacted is the function add_text of the component Arena S

mediumvulnerability

security

Source: NVD/CVE DatabaseApril 20, 2026CVE-2026-6608

Summary

A vulnerability (CVE-2026-6608) was found in lm-sys fastchat up to version 0.2.36 in the add_text function of the Arena Side-by-Side View Handler component, which allows incorrect control flow (improper program execution logic) that can be exploited remotely. The root cause was partially fixed in commit 34eca62 for one file, but three other files containing the same issue were not corrected.

Vulnerability Details

CVSS Score

5.3(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

network

Attack Complexity

low

Privileges Required

none

User Interaction

none

Disclosure Date

April 20, 2026

Classification

Attack SophisticationModerate

Impact (CIA+S)

integrity

AI Component TargetedAPI

Taxonomy References

CWE (Weakness Type)

CWE-670

Affected Vendors

HuggingFace

Related Issues

high

CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling

Same vendorNVD/CVE Database

critical

CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose

Same vendor

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-6608

First tracked: April 20, 2026 at 08:18 AM

Classified by LLM (prompt v3) · confidence: 85%