Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-11844

Good to know:

icon
icon
icon

Date: October 22, 2025

Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitization or escaping. This allows an attacker to inject malicious XPath syntax that can alter the intended query logic. The vulnerability enables attackers to bypass search filters, access unintended DOM elements, and disrupt web automation workflows. This can lead to information disclosure, manipulation of AI agent interactions, and compromise the reliability of automated web tasks. The issue is fixed in version 1.22.0.

Severity Score

Related Resources (5)

https://github.com/huggingface/smolagents
https://nvd.nist.gov/vuln/detail/CVE-2025-11844
https://huntr.com/bounties/01ab4405-9bca-4b26-b7a3-5ca1863a69b4
https://github.com/huggingface/smolagents/commit/f570ed5e17999d4cf7d5e79c2830fbaefab8a794
https://www.mend.io/vulnerability-database/CVE-2025-11844

Severity Score

Weakness Type (CWE)

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

CWE-643

Top Fix

icon

Upgrade Version

Upgrade to version smolagents - 1.22.0;https://github.com/huggingface/smolagents.git - v1.22.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us