CVE-2025-11844

Name of the Vulnerable Software and Affected Versions Hugging Face Smolagents versions prior to 1.22.0

Description The software contains an XPath injection issue in the search item ctrl f function within the src/smolagents/vision web browser.py file. The function builds an XPath query by combining user-provided input directly into the XPath expression without sufficient sanitization or escaping. This allows an attacker to inject malicious XPath syntax, potentially altering the query's logic. This can lead to bypassing search filters, accessing unintended DOM elements, and disrupting web automation workflows, potentially resulting in information disclosure and compromised AI agent interactions. The API endpoint is not mentioned. The vulnerable parameter is not mentioned.

Recommendations Upgrade to Smolagents version 1.22.0 or later.