Medium severity6.3NVD Advisory· Published Feb 18, 2026· Updated Apr 29, 2026

CVE-2026-2654

Description

A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
smolagentsPyPI	<= 1.24.0	—

Affected products

Huggingface/Smolagents
cpe:2.3:a:huggingface:smolagents:*:*:*:*:*:*:*:*
Range: >=1.0.0,<=1.24.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/CH0ico/CVE_choco_smolagent/blob/main/report.mdnvdExploitThird Party AdvisoryWEB
github.com/CH0ico/CVE_choco_smolagent/tree/mainnvdThird Party AdvisoryWEB
github.com/advisories/GHSA-jxgv-6j54-wwc7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-2654ghsaADVISORY
vuldb.comnvdThird Party AdvisoryVDB EntryWEB
vuldb.comnvdThird Party AdvisoryVDB EntryWEB
vuldb.comnvdThird Party AdvisoryVDB EntryWEB

News mentions

No linked articles in our index yet.

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000