CVE-2025-11844 | huggingface smolagents up to 1.21.x XPath Expression vision_web_browser.py xpath injection

A vulnerability identified as critical has been detected in huggingface smolagents up to 1.21.x. Affected is an unknown function of the file src/smolagents/vision_web_browser.py of the component XPath Expression Handler. This manipulation causes improper neutralization of data within xpath expressions.

This vulnerability is tracked as CVE-2025-11844. The attack is possible to be carried out remotely. No exploit exists.

You should upgrade the affected component.VulDB Recent EntriesRead More