{"data":{"id":"8482b21e-7b1b-45fa-b6e4-4d207d68db36","title":"CVE-2026-4963: A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate_augassign/evalu","summary":"A code injection vulnerability (CVE-2026-4963) was found in huggingface smolagents version 1.25.0.dev0, specifically in functions within the local_python_executor.py file that were supposed to fix a previous vulnerability. An attacker can exploit this flaw remotely by injecting malicious code, and the exploit is publicly available, though the vendor has not responded to disclosure attempts.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-4963","publishedAt":"2026-03-27T17:16:31.537Z","cveId":"CVE-2026-4963","cweIds":["CWE-74","CWE-94"],"cvssScore":"6.3","cvssSeverity":"medium","severity":"medium","attackType":[],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["HuggingFace","smolagents"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"required","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-03-27T17:16:31.537Z","capecIds":["CAPEC-242"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}