Vulnerability Description
A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate_augassign/evaluate_call/evaluate_with of the file src/smolagents/local_python_executor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Huggingface | Smolagents | 1.25.0 |
Related Weaknesses (CWE)
References
- https://gist.github.com/YLChen-007/35b7d46e892266a0ed6dbe57802858beExploitThird Party Advisory
- https://gist.github.com/YLChen-007/7146f45960f79bc1e2976fed526e0a9bExploitThird Party Advisory
- https://vuldb.com/?ctiid.353840Permissions RequiredVDB Entry
- https://vuldb.com/?id.353840Third Party AdvisoryVDB Entry
- https://vuldb.com/?submit.777623ExploitThird Party AdvisoryVDB Entry
- https://vuldb.com/?submit.777643ExploitThird Party AdvisoryVDB Entry
- https://vuldb.com/?submit.777644ExploitThird Party AdvisoryVDB Entry
FAQ
What is CVE-2026-4963?
CVE-2026-4963 is a vulnerability with a CVSS score of 6.3 (MEDIUM). A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate_augassign/evaluate_call/evaluate_with of the file src/smolagents/local_python_executor.py of th...
How severe is CVE-2026-4963?
CVE-2026-4963 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-4963?
Check the references section above for vendor advisories and patch information. Affected products include: Huggingface Smolagents.