Bounties
Partners
Community
Info
huggingface / smolagents
Project repository
🤗 smolagents: a barebones library for agents that think in python code.
Submit a report
FIRST INTERACTION
WITHIN
N/A DAYS
REVIEW
WITHIN
15 DAYS
FIX
WITHIN
N/A DAYS
Jinja2 SSTI via attacker-controlled prompt_templates in from_dict() enables OS R...
May 25th 2026
mambnub1
•
duplicate
Critical
LocalPythonExecutor timeout waits for blocked worker, allowing denial of service
May 25th 2026
ethanmbinns
•
duplicate
High
smolagents timeout waits for blocked code to finish
May 22nd 2026
sravan27
•
duplicate
None
Sandbox Escape and Remote Code Execution (RCE) on Windows via Unblocked nt.syste...
May 20th 2026
root-aamir
•
informative
Critical
smolagents LocalPythonExecutor Sandbox Escape via Augmented Assignment Dunder By...
May 20th 2026
wulonchia-pro
•
informative
Critical
Sandbox Bypass via Missing Dunder Write Protection in LocalPythonExecutor
May 20th 2026
parallaxfx-343
•
informative
Medium
SSRF in VisitWebpageTool allows server to fetch internal services and cloud meta...
May 19th 2026
hoangperry
•
informative
High
LocalPythonInterpreter sandbox bypass: dunder attributes readable via str.format...
May 20th 2026
hoangperry
•
informative
Medium
Arbitrary Code Execution (RCE) via Sandbox Escape in LocalPythonExecutor (random...
May 20th 2026
ridhoajaaa
•
informative
Critical
str.format bypasses LocalPythonExecutor dunder restrictions and leaks tool globa...
May 20th 2026
raviakbar97
•
informative
Low
Tool.from_space uploads prompt-controlled local file paths to remote Spaces by d...
May 19th 2026
sakuyainazaki
•
informative
High
SSRF in default `VisitWebpageTool`: `requests.get(url)` with no URL validation a...
May 19th 2026
gunoooo
•
informative
High
Sandbox dunder-attribute filter bypass via str.format() field path access in loc...
May 20th 2026
turtlesmaster1
•
informative
Medium
LocalPythonExecutor timeout_seconds bypass via ThreadPoolExecutor — blocking cal...
May 20th 2026
yx350182449
•
informative
Medium
smolagents LocalPythonExecutor sandbox escape via frame object exposure
May 20th 2026
pyditn2
•
informative
High
Unbounded Memory Allocation via Unvalidated numpy dtype in SafeSerializer enable...
May 20th 2026
carrtik
•
informative
Medium
SSRF in VisitWebpageTool and AgentAudio — Agent Tools Fetch Attacker-Controlled...
May 11th 2026
dantecastelao
•
self closed
Systemic Sandbox Escape in LocalPythonExecutor via Native Dunder Invocation — 13...
May 11th 2026
dantecastelao
•
self closed
Local file exfiltration via Tool.from_space auto-wrapping of model-controlled st...
May 19th 2026
pablogar0
•
informative
High
LocalPythonExecutor timeout waits for worker completion, enabling denial of serv...
May 20th 2026
nguyencong2k
•
informative
Medium
Silent variable fuzzy-matching in LocalPythonExecutor leaks sensitive state data...
May 19th 2026
eserobe
•
informative
High
Shell injection via unsanitized package names in install_packages() allows RCE o...
May 20th 2026
pratikbarahatte87
•
duplicate
Critical
LocalPythonInterpreter ReDoS via re module bypasses execution timeout
May 20th 2026
colinm-sys
•
informative
Medium
LocalPythonInterpreter sandbox escape via __format__ dunder bypass
May 20th 2026
colinm-sys
•
informative
Critical
Tool.from_space() auto-uploads agent-controlled local file paths to remote Gradi...
May 19th 2026
arunacademy13-lang
•
informative
Medium
RCE via unsandboxed exec() in Tool.from_code() triggered by MultiStepAgent.from_...
May 3rd 2026
nssys
•
self closed
Missing cleanup of temporary files on exception in tools.py and remote_executors...
May 20th 2026
merttturan
•
informative
Medium
Local Python Executor Sandbox Escape via Generator Frame `f_locals` Mutation
May 20th 2026
hacck3y
•
informative
High
Sandbox Escape and Remote Code Execution via with statement in LocalPythonExecut...
May 20th 2026
youssef-essam-swe
•
informative
Critical
SSRF via AgentImage/AgentAudio URL Fetch During Result Deserialization
May 19th 2026
jd-admrl-ai
•
informative
None
SSRF via VisitWebpageTool — Unrestricted Internal Network Access
May 19th 2026
jd-admrl-ai
•
informative
Critical
smolagents - Local Python Executor Timeout Bypass via ThreadPoolExecutor shutdow...
May 20th 2026
white-hat-lab
•
informative
High
Sandbox Escape and Information Disclosure via Formatted Value Dunder Attribute A...
May 20th 2026
0umutekinci
•
informative
Critical
Remote Code Execution (RCE) via Arbitrary Code Injection in Tool.from_dict()
Apr 28th 2026
0umutekinci
•
informative
Critical
smolagents VisitWebpageTool performs unvalidated HTTP requests enabling SSRF to...
Apr 23rd 2026
elibell004
•
duplicate
None
CODENAME: GOT LESS MAN
Apr 29th 2026
shu4ya
•
informative
High
smolagents LocalPythonExecutor sandbox escape via traceback frame mutation of au...
Apr 29th 2026
mirr2
•
informative
High
Tool.from_space() auto-uploads local file path arguments to remote Gradio Spaces...
May 19th 2026
mirr2
•
informative
Medium
str.format() Bypasses All Sandbox Security Controls in LocalPythonExecutor
Apr 19th 2026
blockbrain-scanner
•
duplicate
High
LocalPythonExecutor sandbox escape via statistics.sys.modules — unauthorized acc...
May 20th 2026
ryanwms24
•
informative
Critical
LocalPythonExecutor Sandbox Bypass via str.format() Dunder Attribute Traversal
May 20th 2026
wulonchia-pro
•
informative
High
Arbitrary code execution via Tool.from_dict/from_folder bypassing trust_remote_c...
Apr 28th 2026
snakeyworm
•
informative
High
smolagents GradioUI remote denial of service via uncaught BaseException in CodeA...
May 20th 2026
gnesher
•
informative
High
SSRF via VisitWebpageTool + Sandbox Dunder Attribute Bypass in smolagents
Apr 12th 2026
snakeyworm
•
duplicate
None
Sandbox escape via asymmetric dunder protection — write-side allows __class__ as...
Apr 12th 2026
snakeyworm
•
duplicate
Critical
Sandbox Bypass via Unprotected setattr() Allows Dunder Attribute Writes in Local...
Apr 11th 2026
skillwager
•
duplicate
None
Unsanitized driver.current_url injected into agent observation memory
May 20th 2026
dfuselier
•
informative
Low
LocalPythonExecutor setattr/set_value Dunder Bypass — Complete Sandbox Escape
Apr 11th 2026
lexi-core-ai
•
duplicate
None
Sandbox escape via ctypes missing from DANGEROUS_MODULES in LocalPythonExecutor...
May 20th 2026
elliottower
•
informative
Critical
Sandbox Escape in LocalPythonExecutor via Augmented Assignment + __radd__ Chain...
May 20th 2026
skillwager
•
informative
Critical
str.format() Bypasses Dunder Sandbox in smolagents LocalPythonExecutor — Full Pr...
Apr 19th 2026
rael-ivar
•
duplicate
High
Arbitrary code execution via unsandboxed exec() in Tool.from_hub() — downloaded...
May 20th 2026
elliottower
•
informative
High
Cross-Site Scripting (XSS) via Jinja2 Autoescape Disabled in Gradio App Templa...
Apr 5th 2026
kulchandra-199
•
self closed
Sandbox escape via asymmetric dunder protection — write-side allows __class__ as...
Apr 11th 2026
wormysnake
•
duplicate
Critical
Sandbox Escape via Unprotected setattr() Allows Dunder Attribute Modification in...
Apr 11th 2026
lihfdgjr
•
duplicate
Critical
Sandbox Escape via Unguarded setattr Allows Dunder Attribute Writes Leading to R...
Apr 11th 2026
lihfdgjr
•
duplicate
High
LocalPythonExecutor sandbox bypass via str.format() dunder attribute access
Mar 31st 2026
colesmcintosh
•
duplicate
Medium
Command Injection via Unsanitized pip Install in RemoteExecutor (smolagents)
May 20th 2026
navneettsinghh
•
duplicate
Critical
Sandbox Escape via Generator Frame Locals Mutation Enables Arbitrary Code Execut...
Mar 31st 2026
aditya4727
•
duplicate
Critical
SSRF in AgentAudio.tensor via unvalidated URL in requests.get()
May 19th 2026
tranhoangtu-it
•
informative
Critical
Sandbox Escape via str.format() Attribute Resolution in Local Python Executor
Mar 31st 2026
caoxuyang
•
duplicate
Critical
Arbitrary Code Execution via raw exec() in Tool.from_code()
Mar 26th 2026
jdhart81
•
duplicate
Critical
Command injection via unsanitized package names in install_packages() for remote...
May 20th 2026
chrisabra-co
•
duplicate
Critical
Tool.from_code()` and `Tool.from_dict()` execute arbitrary code via exec() witho...
Mar 26th 2026
chrisabra-co
•
duplicate
High
Sandbox escape via pickle deserialization in remote executor return channel — al...
Mar 25th 2026
kodareef5
•
informative
Critical
Sandbox escape via dunder check bypass chain in LocalPythonExecutor, arbitrary f...
Mar 25th 2026
kodareef5
•
informative
Critical
Sandbox Escape via Asymmetric Dunder Attribute Check — Write Bypasses Read Prote...
May 20th 2026
nhomyk
•
informative
Critical
Sandbox Escape via Asymmetric Dunder Attribute Check — Writes Bypass Read Protec...
Mar 21st 2026
nhomyk
•
self closed
Sandbox Escape via Traceback Frame Access in Context Manager __exit__
Mar 25th 2026
montanaflynn
•
informative
Critical
Format String Bypass of Python Sandbox Dunder Attribute Restrictions (Post CVE-2...
Mar 31st 2026
snailsploit
•
duplicate
High
Circular Object Reference Causes Uncontrolled Resource Consumption in make_json_...
Mar 25th 2026
tru1hx
•
informative
Medium
`set_value()` in `LocalPythonExecutor` Does Not Check for Dunder Attribute Names...
May 20th 2026
hantul
•
informative
Medium
Sandbox escape via ctypes in LocalPythonExecutor allows arbitrary OS command exe...
May 20th 2026
rishavkumarthapa01-sketch
•
informative
High
Missing trust_remote_code safety check in from_dict() and from_folder() silently...
Mar 17th 2026
gprem-ctrl
•
duplicate
High
from_dict() and from_folder() bypass trust_remote_code gate and execute arbitrar...
Mar 16th 2026
gprem-ctrl
•
self closed
evaluate_name() in LocalPythonExecutor silently leaks sensitive state variables...
May 19th 2026
gprem-ctrl
•
informative
High
Unsandboxed exec() in Tool.from_hub() Enables RCE via Compromised Hub Space (No...
Mar 17th 2026
odysseypro25-project
•
duplicate
High
# Remote Code Execution via Tool.from_code() and Tool.from_dict() Code Injection
Mar 17th 2026
yhy0
•
duplicate
Critical
# Remote Code Execution via Jinja2 Server-Side Template Injection in populate_te...
May 25th 2026
yhy0
•
duplicate
Critical
Sandbox Protection Inconsistency in LocalPythonExecutor
Mar 18th 2026
yhy0
•
informative
Medium
SSRF in VisitWebpageTool via unrestricted backend URL fetch
Mar 19th 2026
midasavocado
•
informative
Medium
SSRF via VisitWebpageTool allows access to internal network services
Mar 19th 2026
lexi-core-ai
•
informative
High
Arbitrary Code Execution via Tool.from_code() without trust validation
Mar 17th 2026
lexi-core-ai
•
duplicate
Critical
SSRF in VisitWebpageTool allows access to internal services and cloud metadata
Mar 19th 2026
narrator3333-hash
•
informative
High
Sandbox Escape via evaluate_augassign() Dunder Attribute Bypass (CVE-2025-9959 b...
May 20th 2026
mscgo
•
informative
None
Command injection via malicious package names in remote executor install_package...
May 20th 2026
odysseypro25-project
•
informative
None
SSRF in default VisitWebpageTool — no URL validation allows access to internal n...
Mar 19th 2026
odysseypro25-project
•
informative
None
Python sandbox escape leading to Remote Code Execution (RCE) in huggingface/smol...
May 20th 2026
yulate
•
informative
Critical
Sandbox Escape in local_python_executor via augassign dunder bypass → RCE (bypas...
Mar 31st 2026
romain-deperne
•
duplicate
Critical
Python Sandbox Bypass via `__globals__` In-Place Mutation Enables Remote Code Ex...
May 20th 2026
apeiria-zero
•
informative
Critical
Unsafe deserialization via pickle in smolagents tool and agent serialization
Jun 5th 2026
etwithin
•
pending
Sandbox Dunder Protection Bypass and Arbitrary Attribute Injection via `get_curr...
Mar 18th 2026
hax1ng
•
duplicate
Critical
Jinja2 Server-Side Template Injection (SSTI) Leading to Remote Code Execution vi...
Mar 3rd 2026
hax1ng
•
duplicate
Critical
Sandbox Escape to Arbitrary Command Execution via Context Manager Traceback Fram...
Mar 3rd 2026
hax1ng
•
duplicate
Critical
Missing check_safer_result() in evaluate_call() allows DANGEROUS_FUNCTIONS bypas...
Mar 3rd 2026
eigentum
•
duplicate
Critical
Sandbox Dunder Protection Bypass via Unguarded `setattr`, `set_value` Attribute...
Mar 18th 2026
hax1ng
•
duplicate
Critical
Sandbox Escape via Generator Frame Locals in LocalPythonExecutor
Feb 28th 2026
dorjoos
•
duplicate
Critical
Sandbox policy bypass: dunder attribute access not consistently enforced in AugA...
May 20th 2026
unicuervo16
•
informative
Medium
SSRF in VisitWebpageTool (smolagents)
Feb 27th 2026
alipayhihonor
•
duplicate
High
Multiple Sandbox Escapes in LocalPythonExecutor via Generator Frame Manipulation
Feb 28th 2026
zitoxxx
•
duplicate
None
Feb 26th 2026
zitoxxx
•
self closed
Sandbox Escape to Arbitrary Code Execution (RCE) in smolagents via evaluate_auga...
Mar 3rd 2026
zitoxxx
•
duplicate
None
Server-Side Request Forgery (SSRF) in VisitWebpageTool
Feb 27th 2026
zitoxxx
•
duplicate
High
Remote Code Execution via Tool.from_dict() and Agent.from_folder() without trust...
Mar 17th 2026
optimus-fulcria
•
duplicate
High
Sandbox Information Leak via get_safe_module Unsafe Attribute Copying — Full Run...
Mar 3rd 2026
l1iith
•
duplicate
Critical
Sandbox Bypass — Missing Dunder Access Controls in evaluate_call, set_value, and...
Mar 18th 2026
l1iith
•
duplicate
High
Sandbox Escape via Unsafe `pickle.loads()` of Sandbox-Controlled Data in Remote...
May 11th 2026
l1iith
•
pending
Arbitrary Code Execution via `from_dict` / `from_folder` / `Tool.from_dict` / `T...
Mar 17th 2026
l1iith
•
duplicate
High
Remote Code Execution (RCE) via Insecure Deserialization in remote_executors.py
Feb 8th 2026
askhat707
•
duplicate
Critical
Novel `yaml.load` Remote Code Execution (RCE) via Prompt Injection in `smolagen...
Feb 7th 2026
riskyrajiv
•
duplicate
Critical
Show more...
CRITICAL
$500
HIGH
$250
MEDIUM
$41.666666666666664
LOW
$6.666666666666667
