CVE-2026-4963 | huggingface smolagents 1.25.0.dev0 Incomplete Fix CVE-2025-9959 local_python_executor.py evaluate_augassign/evaluate_call/evaluate_with code injection

A vulnerability has been found in huggingface smolagents 1.25.0.dev0 and classified as critical. This affects the function evaluate_augassign/evaluate_call/evaluate_with of the file src/smolagents/local_python_executor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection.

The identification of this vulnerability is CVE-2026-4963. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-4963 | huggingface smolagents 1.25.0.dev0 Incomplete Fix CVE-2025-9959 local_python_executor.py evaluate_augassign/evaluate_call/evaluate_with code injection

Post correlati

CVE-2025-20981 | Samsung Devices AudioService access control

CVE-2024-7872 | ExtremePACS Extreme XDS up to 3932 insertion of sensitive information into sent data

CVE-2025-21029 | Samsung Devices insufficient permissions or privileges

CVE-2024-24142 | SourceCodester Sourcecodester School Task Manager 1.0 subject sql injection