VYPR

Smolagents

by Huggingface

pypi: smolagents

Source repositories

CVEs (3)

  • CVE-2025-9959HigSep 3, 2025
    risk 0.49cvss 7.6epss 0.00

    Incomplete validation of dunder attributes allows an attacker to escape from the Local Python execution environment sandbox, enforced by smolagents. The attack requires a Prompt Injection in order to trick the agent to create malicious code.

  • CVE-2026-4963MedMar 27, 2026
    risk 0.41cvss 6.3epss 0.01

    A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate_augassign/evaluate_call/evaluate_with of the file src/smolagents/local_python_executor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code…

  • CVE-2026-2654MedFeb 18, 2026
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit…