CVE-2026-4963: A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate_augassign/evalu
Summary
A code injection vulnerability (CVE-2026-4963) was found in huggingface smolagents version 1.25.0.dev0, specifically in functions within the local_python_executor.py file that were supposed to fix a previous vulnerability. An attacker can exploit this flaw remotely by injecting malicious code, and the exploit is publicly available, though the vendor has not responded to disclosure attempts.
Vulnerability Details
6.3(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
network
low
none
required
March 27, 2026
Classification
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-4963
First tracked: March 27, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 85%