Bounties
Partners
Community
Info
huggingface / smolagents
Project repository
🤗 smolagents: a barebones library for agents that think in python code.
Submit a report
FIRST INTERACTION
WITHIN
N/A DAYS
REVIEW
WITHIN
14 DAYS
FIX
WITHIN
N/A DAYS
SSRF in VisitWebpageTool and AgentAudio — Agent Tools Fetch Attacker-Controlled...
May 11th 2026
dantecastelao
•
self closed
Systemic Sandbox Escape in LocalPythonExecutor via Native Dunder Invocation — 13...
May 11th 2026
dantecastelao
•
self closed
RCE via unsandboxed exec() in Tool.from_code() triggered by MultiStepAgent.from_...
May 3rd 2026
nssys
•
self closed
Remote Code Execution (RCE) via Arbitrary Code Injection in Tool.from_dict()
Apr 28th 2026
0umutekinci
•
informative
Critical
smolagents VisitWebpageTool performs unvalidated HTTP requests enabling SSRF to...
Apr 23rd 2026
elibell004
•
duplicate
None
CODENAME: GOT LESS MAN
Apr 29th 2026
shu4ya
•
informative
High
smolagents LocalPythonExecutor sandbox escape via traceback frame mutation of au...
Apr 29th 2026
mirr2
•
informative
High
str.format() Bypasses All Sandbox Security Controls in LocalPythonExecutor
Apr 19th 2026
blockbrain-scanner
•
duplicate
High
Arbitrary code execution via Tool.from_dict/from_folder bypassing trust_remote_c...
Apr 28th 2026
snakeyworm
•
informative
High
SSRF via VisitWebpageTool + Sandbox Dunder Attribute Bypass in smolagents
Apr 12th 2026
snakeyworm
•
duplicate
None
Sandbox escape via asymmetric dunder protection — write-side allows __class__ as...
Apr 12th 2026
snakeyworm
•
duplicate
Critical
Sandbox Bypass via Unprotected setattr() Allows Dunder Attribute Writes in Local...
Apr 11th 2026
skillwager
•
duplicate
None
LocalPythonExecutor setattr/set_value Dunder Bypass — Complete Sandbox Escape
Apr 11th 2026
lexi-core-ai
•
duplicate
None
str.format() Bypasses Dunder Sandbox in smolagents LocalPythonExecutor — Full Pr...
Apr 19th 2026
rael-ivar
•
duplicate
High
Cross-Site Scripting (XSS) via Jinja2 Autoescape Disabled in Gradio App Templa...
Apr 5th 2026
kulchandra-199
•
self closed
Sandbox escape via asymmetric dunder protection — write-side allows __class__ as...
Apr 11th 2026
wormysnake
•
duplicate
Critical
Sandbox Escape via Unprotected setattr() Allows Dunder Attribute Modification in...
Apr 11th 2026
lihfdgjr
•
duplicate
Critical
Sandbox Escape via Unguarded setattr Allows Dunder Attribute Writes Leading to R...
Apr 11th 2026
lihfdgjr
•
duplicate
High
LocalPythonExecutor sandbox bypass via str.format() dunder attribute access
Mar 31st 2026
colesmcintosh
•
duplicate
Medium
Sandbox Escape via Generator Frame Locals Mutation Enables Arbitrary Code Execut...
Mar 31st 2026
aditya4727
•
duplicate
Critical
Sandbox Escape via str.format() Attribute Resolution in Local Python Executor
Mar 31st 2026
caoxuyang
•
duplicate
Critical
Arbitrary Code Execution via raw exec() in Tool.from_code()
Mar 26th 2026
jdhart81
•
duplicate
Critical
Tool.from_code()` and `Tool.from_dict()` execute arbitrary code via exec() witho...
Mar 26th 2026
chrisabra-co
•
duplicate
High
Sandbox escape via pickle deserialization in remote executor return channel — al...
Mar 25th 2026
kodareef5
•
informative
Critical
Sandbox escape via dunder check bypass chain in LocalPythonExecutor, arbitrary f...
Mar 25th 2026
kodareef5
•
informative
Critical
Sandbox Escape via Asymmetric Dunder Attribute Check — Writes Bypass Read Protec...
Mar 21st 2026
nhomyk
•
self closed
Sandbox Escape via Traceback Frame Access in Context Manager __exit__
Mar 25th 2026
montanaflynn
•
informative
Critical
Format String Bypass of Python Sandbox Dunder Attribute Restrictions (Post CVE-2...
Mar 31st 2026
snailsploit
•
duplicate
High
Circular Object Reference Causes Uncontrolled Resource Consumption in make_json_...
Mar 25th 2026
tru1hx
•
informative
Medium
Missing trust_remote_code safety check in from_dict() and from_folder() silently...
Mar 17th 2026
gprem-ctrl
•
duplicate
High
from_dict() and from_folder() bypass trust_remote_code gate and execute arbitrar...
Mar 16th 2026
gprem-ctrl
•
self closed
Unsandboxed exec() in Tool.from_hub() Enables RCE via Compromised Hub Space (No...
Mar 17th 2026
odysseypro25-project
•
duplicate
High
# Remote Code Execution via Tool.from_code() and Tool.from_dict() Code Injection
Mar 17th 2026
yhy0
•
duplicate
Critical
Sandbox Protection Inconsistency in LocalPythonExecutor
Mar 18th 2026
yhy0
•
informative
Medium
SSRF in VisitWebpageTool via unrestricted backend URL fetch
Mar 19th 2026
midasavocado
•
informative
Medium
SSRF via VisitWebpageTool allows access to internal network services
Mar 19th 2026
lexi-core-ai
•
informative
High
Arbitrary Code Execution via Tool.from_code() without trust validation
Mar 17th 2026
lexi-core-ai
•
duplicate
Critical
SSRF in VisitWebpageTool allows access to internal services and cloud metadata
Mar 19th 2026
narrator3333-hash
•
informative
High
SSRF in default VisitWebpageTool — no URL validation allows access to internal n...
Mar 19th 2026
odysseypro25-project
•
informative
None
Sandbox Escape in local_python_executor via augassign dunder bypass → RCE (bypas...
Mar 31st 2026
romain-deperne
•
duplicate
Critical
Sandbox Dunder Protection Bypass and Arbitrary Attribute Injection via `get_curr...
Mar 18th 2026
hax1ng
•
duplicate
Critical
Jinja2 Server-Side Template Injection (SSTI) Leading to Remote Code Execution vi...
Mar 3rd 2026
hax1ng
•
duplicate
Critical
Sandbox Escape to Arbitrary Command Execution via Context Manager Traceback Fram...
Mar 3rd 2026
hax1ng
•
duplicate
Critical
Missing check_safer_result() in evaluate_call() allows DANGEROUS_FUNCTIONS bypas...
Mar 3rd 2026
eigentum
•
duplicate
Critical
Sandbox Dunder Protection Bypass via Unguarded `setattr`, `set_value` Attribute...
Mar 18th 2026
hax1ng
•
duplicate
Critical
Sandbox Escape via Generator Frame Locals in LocalPythonExecutor
Feb 28th 2026
dorjoos
•
duplicate
Critical
SSRF in VisitWebpageTool (smolagents)
Feb 27th 2026
alipayhihonor
•
duplicate
High
Multiple Sandbox Escapes in LocalPythonExecutor via Generator Frame Manipulation
Feb 28th 2026
zitoxxx
•
duplicate
None
Feb 26th 2026
zitoxxx
•
self closed
Sandbox Escape to Arbitrary Code Execution (RCE) in smolagents via evaluate_auga...
Mar 3rd 2026
zitoxxx
•
duplicate
None
Server-Side Request Forgery (SSRF) in VisitWebpageTool
Feb 27th 2026
zitoxxx
•
duplicate
High
Remote Code Execution via Tool.from_dict() and Agent.from_folder() without trust...
Mar 17th 2026
optimus-fulcria
•
duplicate
High
# Smolagents WASM Sandbox Escape Vulnerability That Leads to RCE
Feb 16th 2026
vladimirelitokarev
•
duplicate
Critical
Sandbox Information Leak via get_safe_module Unsafe Attribute Copying — Full Run...
Mar 3rd 2026
l1iith
•
duplicate
Critical
Sandbox Bypass — Missing Dunder Access Controls in evaluate_call, set_value, and...
Mar 18th 2026
l1iith
•
duplicate
High
Sandbox Escape via Unsafe `pickle.loads()` of Sandbox-Controlled Data in Remote...
May 11th 2026
l1iith
•
pending
Arbitrary Code Execution via `from_dict` / `from_folder` / `Tool.from_dict` / `T...
Mar 17th 2026
l1iith
•
duplicate
High
Remote Code Execution (RCE) via Insecure Deserialization in remote_executors.py
Feb 8th 2026
askhat707
•
duplicate
Critical
Novel `yaml.load` Remote Code Execution (RCE) via Prompt Injection in `smolagen...
Feb 7th 2026
riskyrajiv
•
duplicate
Critical
Novel Multi-Turn Remote Code Execution (RCE) via State Poisoning in smolagents C...
May 8th 2026
riskyrajiv
•
pending
Sandbox escape via with-statement traceback leak in LocalPythonExecutor
Mar 3rd 2026
phenggeler
•
duplicate
Critical
Hugging Face smolagents V1.24.0 LocalPythonExecutor SSRF and Data Exfiltration
May 6th 2026
ch0ico
•
pending
Arbitrary Code Execution via Pickle Deserialization in Remote Executors
Feb 8th 2026
gitdavehorsley
•
duplicate
Critical
Arbitrary Code Execution via Pickle Deserialization in Remote Executors
Jan 30th 2026
l3ster1337
•
self closed
Unbounded Loop Causing Denial of Service in Remote Code Execution WebSocket Hand...
May 7th 2026
dillaryclump
•
informative
Medium
Data Integrity Violation in Parallel Tool Execution
May 7th 2026
dillaryclump
•
informative
High
Unauthenticated Sandbox Escape in LocalPythonExecutor via C-Level Format String...
Mar 18th 2026
chafik1234
•
duplicate
Critical
Remote Code Execution via Unsandboxed exec() in Tool.from_hub() and Tool.from_co...
Jan 24th 2026
phenggeler
•
duplicate
Critical
Remote Code Execution via unsafe pickle deserialization in remote executors
Jan 18th 2026
alan-tiger
•
duplicate
Critical
str.format() Bypasses nodunder_getattr Sandbox Protection Leading to Information...
Mar 18th 2026
alan-tiger
•
duplicate
Medium
Remote Code Execution via Insecure Pickle Deserialization in Remote Executors
Jan 18th 2026
reaperoak
•
duplicate
Critical
CSRF to Arbitrary Code Execution in Docker Container via Permissive CORS config
May 7th 2026
abhishekg999
•
informative
High
Critical Sandbox Escape in LocalPythonExecutor via setattr Mutability and Reflec...
Jan 7th 2026
riskyrajiv
•
duplicate
Critical
WASM executor sandbox escape - Deno server global cache dir poisoning
Apr 13th 2026
nnfrog
•
informative
High
DDOS via regular expression autorized in the code section
Mar 18th 2026
gliverneaux
•
informative
Medium
Deserialization of Untrusted Data
Dec 28th 2025
luffybounty18
•
duplicate
Critical
Remote Code Execution via Tool.from_code()
Dec 28th 2025
luffybounty18
•
duplicate
Critical
Arbitrary Environment Variable Disclosure and Sandbox Escape via Unvalidated Con...
Jan 2nd 2026
herdiyana256
•
self closed
Configuration Injection via Environment Variables in smolagents
May 7th 2026
herdiyana256
•
informative
High
Security Filter Bypass in nodunder_getattr via String Subclassing
Mar 20th 2026
chmgx81
•
pending
Format String Sandbox Bypass in LocalPythonExecutor
Mar 18th 2026
sec0xed
•
informative
High
Show more...
CRITICAL
$500
HIGH
$250
MEDIUM
$41.666666666666664
LOW
$6.666666666666667
