CVE-2026-2654: A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of
mediumvulnerability
security
Summary
A vulnerability called server-side request forgery (SSRF, where an attacker tricks a server into making unwanted web requests) was found in Hugging Face's smolagents version 1.24.0, specifically in the LocalPythonExecutor component's requests.get and requests.post functions. An attacker can exploit this remotely, and the vulnerability has been publicly disclosed, though the vendor did not respond when contacted.
Vulnerability Details
CVSS Score
6.3(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
HuggingFace
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-2654
First tracked: February 18, 2026 at 11:07 AM
Classified by LLM (prompt v3) · confidence: 92%