CVE-2026-4963 is a code injection vulnerability identified in huggingface's smolagents version 1.25.0.dev0, specifically in the functions evaluate_augassign, evaluate_call, and evaluate_with within the src/smolagents/local_python_executor.py file. This issue stems from an incomplete remediation of a prior vulnerability (CVE-2025-9959), allowing attackers to manipulate the code execution flow remotely. The vulnerability enables an attacker to inject arbitrary code that the vulnerable functions will execute, potentially compromising the host system. The attack vector is network-based with no privileges or authentication required, but user interaction is necessary to trigger the exploit. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity due to partial impact on confidentiality, integrity, and availability, and the requirement for user interaction. The vendor has not issued a patch or responded to the disclosure, and the exploit code is publicly available, increasing the risk of exploitation. This vulnerability is particularly concerning in environments where smolagents is used to execute dynamic Python code or automate tasks, as it could lead to unauthorized command execution, data leakage, or service disruption. Organizations relying on this version should consider immediate mitigations to prevent exploitation.

The impact of CVE-2026-4963 is significant for organizations using huggingface smolagents 1.25.0.dev0, especially in environments where the vulnerable functions process untrusted input or are exposed to external networks. Successful exploitation can lead to arbitrary code execution, compromising system confidentiality by exposing sensitive data, integrity by allowing unauthorized code changes, and availability by potentially disrupting services. Since the vulnerability requires no authentication and can be triggered remotely (albeit with user interaction), it broadens the attack surface. The availability of public exploit code increases the likelihood of attacks, including automated exploitation attempts. Organizations in AI research, machine learning pipelines, or automation relying on smolagents could face operational disruptions, data breaches, or lateral movement within their networks. The lack of vendor response and patches exacerbates the risk, leaving systems exposed until mitigations or updates are applied.

1. Immediately restrict access to any services or interfaces running smolagents 1.25.0.dev0, especially those exposed to untrusted networks. 2. Implement strict input validation and sanitization on all inputs processed by the vulnerable functions (evaluate_augassign, evaluate_call, evaluate_with) to prevent injection of malicious code. 3. Use sandboxing or containerization to isolate the execution environment of smolagents, limiting the potential damage from code execution. 4. Monitor logs and network traffic for unusual or suspicious activity indicative of exploitation attempts. 5. Disable or limit features that allow dynamic code execution where feasible until a vendor patch is available. 6. Engage in active threat hunting for signs of compromise related to this vulnerability. 7. Follow huggingface communications for updates and apply patches promptly once released. 8. Consider upgrading to a non-vulnerable version if available or applying community-developed patches with caution. 9. Educate users about the risks of interacting with untrusted inputs that could trigger the vulnerability.