Lucene search
+L

80 matches found

zdi
zdi
added 2025/12/18 12:0 a.m.3 views

(0Day) Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face smolagents. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of pickle data. The issue results from the lack of proper validation...

10CVSS7.7AI score0.0083EPSS
Exploits0
ptsecurity
ptsecurity
added 2025/12/18 12:0 a.m.8 views

PT-2025-52388

Name of the Vulnerable Software and Affected Versions Hugging Face smolagents affected versions not specified Description A flaw exists in Hugging Face smolagents that allows remote attackers to execute arbitrary code on affected systems. Authentication is not required for exploitation. The issue...

10CVSS9.4AI score0.0083EPSS
Exploits0References10
redhatcve
redhatcve
added 2025/10/23 2:15 p.m.5 views

CVE-2025-11844

Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the searchitemctrlf function located in src/smolagents/visionwebbrowser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitizatio...

5.4CVSS7AI score0.00252EPSS
Exploits2References1
vulnersosv
vulnersosv
added 2025/10/22 3:31 p.m.4 views

agentengine (>=0.1.5 <=0.1.8), deepmost (=0.5.2) +13 more potentially affected by CVE-2025-11844 via smolagents (>=0.1.3 <=1.21.1)

smolagents PYPI version =0.1.3, =0.1.5, =0.1.0, =0.1.1, =0.1.1, =0.1.0, =0.16.0, =2.4.0, =0.0.1.dev0, =0.0.1, =0.3.0, =0.3.7 Source cves: CVE-2025-11844 Source advisory: OSV:GHSA-8MF9-RMGW-33QC...

5.4CVSS6AI score0.00252EPSS
Exploits2
osv
osv
added 2025/10/22 3:31 p.m.7 views

GHSA-8MF9-RMGW-33QC Hugging Face Smolagents XPath injection vulnerability in the search_item_ctrl_f function

Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the searchitemctrlf function located in src/smolagents/visionwebbrowser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitizatio...

5.4CVSS7AI score0.00252EPSS
Exploits2References4
github
github
added 2025/10/22 3:31 p.m.11 views

Hugging Face Smolagents XPath injection vulnerability in the search_item_ctrl_f function

Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the searchitemctrlf function located in src/smolagents/visionwebbrowser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitizatio...

5.4CVSS7AI score0.00252EPSS
Exploits2References4Affected Software1
nvd
nvd
added 2025/10/22 2:15 p.m.10 views

CVE-2025-11844

Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the searchitemctrlf function located in src/smolagents/visionwebbrowser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitizatio...

5.4CVSS0.00252EPSS
Exploits2References2
cvelist
cvelist
added 2025/10/22 1:13 p.m.14 views

CVE-2025-11844 XPath Injection in Hugging Face Smolagents search_item_ctrl_f Function

Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the searchitemctrlf function located in src/smolagents/visionwebbrowser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitizatio...

5.4CVSS0.00252EPSS
Exploits2References2
cve
cve
added 2025/10/22 1:13 p.m.24 views

CVE-2025-11844

Hugging Face Smolagents 1.20.0 has an XPath injection in search_item_ctrl_f (vision_web_browser.py) where user input is concatenated into XPath queries without sanitization, allowing attackers to modify query logic, bypass filters, and access unintended DOM elements, potentially disrupting AI web...

5.4CVSS5.7AI score0.00252EPSS
Exploits2References2Affected Software1
vulnrichment
vulnrichment
added 2025/10/22 1:13 p.m.2 views

CVE-2025-11844 XPath Injection in Hugging Face Smolagents search_item_ctrl_f Function

Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the searchitemctrlf function located in src/smolagents/visionwebbrowser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitizatio...

5.4CVSS6.5AI score0.00252EPSS
Exploits2References2
osv
osv
added 2025/10/22 1:13 p.m.3 views

CVE-2025-11844 XPath Injection in Hugging Face Smolagents search_item_ctrl_f Function

Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the searchitemctrlf function located in src/smolagents/visionwebbrowser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitizatio...

5.4CVSS6.1AI score0.00252EPSS
Exploits2References4
euvd
euvd
added 2025/10/03 8:7 p.m.7 views

EUVD-2025-22815

Malicious code in bioql PyPI...

10CVSS7.5AI score0.18654EPSS
Exploits1References3
euvd
euvd
added 2025/10/03 8:7 p.m.9 views

EUVD-2025-26607

Malicious code in bioql PyPI...

7.6CVSS6.6AI score0.00291EPSS
Exploits0References2
vulnersosv
vulnersosv
added 2025/10/02 6:44 a.m.3 views

agentengine (>=0.1.5 <=0.1.8), deepmost (=0.5.2) +12 more potentially affected by CVE-2025-11844 via smolagents (>=1.12.0 <=1.21.1)

smolagents PYPI version =1.12.0, =0.1.5, =0.1.0, =0.1.1, =0.1.1, =0.1.0, =0.16.0, =2.4.0, =0.0.1.dev0, =0.0.1, =0.3.0, =0.3.7 Source cves: CVE-2025-11844 Source advisory: SNYK:PYTHON-SMOLAGENTS-13537512...

5.4CVSS6AI score0.00252EPSS
Exploits2
snyk
snyk
added 2025/10/02 6:44 a.m.3 views

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

Overview smolagents is a 🤗 smolagents: a barebones library for agents. Agents write python code to call tools or orchestrate other agents. Affected versions of this package are vulnerable to Improper Neutralization of Data within XPath Expressions 'XPath Injection' via the searchitemctrlf functio...

6.4CVSS7.2AI score0.00252EPSS
Exploits2References3
redhatcve
redhatcve
added 2025/09/05 5:24 p.m.4 views

CVE-2025-9959

Incomplete validation of dunder attributes allows an attacker to escape from the Local Python execution environment sandbox, enforced by smolagents. The attack requires a Prompt Injection in order to trick the agent to create malicious code...

7.6CVSS7.2AI score0.00291EPSS
Exploits0References1
vulnersosv
vulnersosv
added 2025/09/03 5:42 p.m.5 views

agentengine (>=0.1.5 <=0.1.8), deepmost (=0.5.2) +11 more potentially affected by CVE-2025-9959 via smolagents (>=1.12.0 <=1.19.0)

smolagents PYPI version =1.12.0, =0.1.5, =0.1.0, =0.1.1, =0.1.1, =0.1.0, =0.16.0, =0.0.1.dev0, =0.0.1, =0.3.0, =0.3.7 Source cves: CVE-2025-9959 Source advisory: SNYK:PYTHON-SMOLAGENTS-12549208...

7.6CVSS6.5AI score0.00291EPSS
Exploits0
snyk
snyk
added 2025/09/03 5:42 p.m.1 views

Arbitrary Code Injection

Overview smolagents is a 🤗 smolagents: a barebones library for agents. Agents write python code to call tools or orchestrate other agents. Affected versions of this package are vulnerable to Arbitrary Code Injection due to incomplete validation of dunder attributes, that allows an attacker to...

7.6CVSS7.6AI score0.00291EPSS
Exploits0References2
nvd
nvd
added 2025/09/03 5:15 p.m.7 views

CVE-2025-9959

Incomplete validation of dunder attributes allows an attacker to escape from the Local Python execution environment sandbox, enforced by smolagents. The attack requires a Prompt Injection in order to trick the agent to create malicious code...

7.6CVSS0.00291EPSS
Exploits0References2
cvelist
cvelist
added 2025/09/03 4:53 p.m.22 views

CVE-2025-9959 Sandbox escape in smolagents Local Python execution environment via dunder attributes

Incomplete validation of dunder attributes allows an attacker to escape from the Local Python execution environment sandbox, enforced by smolagents. The attack requires a Prompt Injection in order to trick the agent to create malicious code...

7.6CVSS0.00291EPSS
Exploits0References2
Rows per page
Query Builder