CVE-2026-4963
huggingface smolagents Incomplete Fix CVE-2025-9959 local_python_executor.py evaluate_with code injection
CVSS Score
6.3
EPSS Score
0.0%
EPSS Percentile
2th
A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate_augassign/evaluate_call/evaluate_with of the file src/smolagents/local_python_executor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
| CWE | CWE-94 CWE-74 |
| Vendor | huggingface |
| Product | smolagents |
| Published | Mar 27, 2026 |
| Last Updated | Mar 31, 2026 |
Stay Ahead of the Next One
Get instant alerts for huggingface smolagents
Be the first to know when new medium vulnerabilities affecting huggingface smolagents are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
huggingface / smolagents
1.25.0.dev0
References
vuldb.com: https://vuldb.com/?id.353840 vuldb.com: https://vuldb.com/?ctiid.353840 vuldb.com: https://vuldb.com/?submit.777623 vuldb.com: https://vuldb.com/?submit.777643 vuldb.com: https://vuldb.com/?submit.777644 gist.github.com: https://gist.github.com/YLChen-007/7146f45960f79bc1e2976fed526e0a9b gist.github.com: https://gist.github.com/YLChen-007/35b7d46e892266a0ed6dbe57802858be
Credits
๐ Eric-z (VulDB User) VulDB