CVE-2026-2654
- EPSS 0.04%
- Veröffentlicht 18.02.2026 13:32:06
- Zuletzt bearbeitet 20.02.2026 20:51:16
A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the ...
- EPSS 2.48%
- Veröffentlicht 23.12.2025 21:15:48
- Zuletzt bearbeitet 29.12.2025 15:58:56
Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face smolagents. Authentic...
CVE-2025-11844
- EPSS 0.06%
- Veröffentlicht 22.10.2025 13:13:55
- Zuletzt bearbeitet 30.10.2025 17:43:35
Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supplied input ...
- EPSS 0.3%
- Veröffentlicht 27.07.2025 07:57:07
- Zuletzt bearbeitet 07.08.2025 00:51:49
A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the restricted execution environment and achieve remote code execution (RCE). The vulnerability stems from the local_python_executor....