Huggingface Smolagents vulnerabilities
2 known vulnerabilities affecting huggingface/huggingface_smolagents.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2025-5120P1CRITICALCVSS 10.0≥ unspecified, < 1.17.02025-07-27
CVE-2025-5120 [CRITICAL] CWE-94 CVE-2025-5120: A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing att
A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the restricted execution environment and achieve remote code execution (RCE). The vulnerability stems from the local_python_executor.py module, which inadequately restricts Python code execution despite employing static and dynamic che
nvd
CVE-2025-11844P4MEDIUMCVSS 5.4≥ unspecified, < 1.22.02025-10-22
CVE-2025-11844 [MEDIUM] CWE-643 CVE-2025-11844: Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_
Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitization or escaping. This allows an attacker to inject
nvd