CVE-2026-4963
Published: 27 March 2026
Summary
CVE-2026-4963 is a medium-severity Injection (CWE-74) vulnerability in Huggingface Smolagents. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 5.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as NLP and Transformers.
The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires input validation at the interfaces of evaluate_augassign, evaluate_call, and evaluate_with functions to neutralize special elements and prevent code injection per CWE-74 and CWE-94.
Mandates timely identification, reporting, testing, and correction of the specific code injection flaw from the incomplete fix for CVE-2025-9959 in smolagents 1.25.0.dev0.
Authorizes and restricts software usage to exclude vulnerable development versions like smolagents 1.25.0.dev0, preventing deployment and exploitation of the publicly available code injection attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary code execution via Python code injection (CWE-94) in local_python_executor directly enables T1059.006 (Python interpreter abuse) and T1203 (client-side exploitation for code execution, matching AV:N/UI:R vector).
NVD Description
A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate_augassign/evaluate_call/evaluate_with of the file src/smolagents/local_python_executor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible to initiate the attack remotely. The exploit has…
more
been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-4963 is a code injection vulnerability in Hugging Face's smolagents library version 1.25.0.dev0, stemming from an incomplete fix for CVE-2025-9959. The issue affects the functions evaluate_augassign, evaluate_call, and evaluate_with within the file src/smolagents/local_python_executor.py. It enables manipulation that leads to arbitrary code execution, as classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-94 (Improper Control of Generation of Code).
The vulnerability can be exploited remotely over the network with low complexity and no required privileges, though it necessitates user interaction, such as clicking a malicious link or input. Successful exploitation grants low-impact confidentiality, integrity, and availability effects, with an overall CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). Attackers can inject and execute code in the context of the affected Python executor.
Advisories from VulDB indicate that the vendor was contacted early regarding disclosure but provided no response, and no patches or mitigations are mentioned. Publicly available exploits, hosted on GitHub Gists, demonstrate the attack vectors.
Notable context includes the public availability of exploits, increasing the risk of real-world attacks against deployments using this development version of smolagents, which is part of Hugging Face's AI/ML agent ecosystem.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: huggingface