CVE-2026-2654 | huggingface smolagents 1.24.0 LocalPythonExecutor requests.get/requests.post server-side request forgery

Inserito da Angelo Barbosa | Feb 18, 2026 | CVE

A vulnerability was found in huggingface smolagents 1.24.0. It has been declared as critical. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery.

This vulnerability is registered as CVE-2026-2654. It is possible to launch the attack remotely. Furthermore, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-2654 | huggingface smolagents 1.24.0 LocalPythonExecutor requests.get/requests.post server-side request forgery

Post correlati

CVE-2024-49761 | rexml Gem up to 3.3.8 on Ruby redos

CVE-2025-13034 | cURL up to 8.17.0 QUIC Certificate certificate validation

CVE-2026-1552 | SEMCMS 5.0 /SEMCMS_Info.php searchml sql injection

CVE-2024-35266 | Microsoft Azure DevOps Server 2022.1 cross site scripting