What is CVE-2025-11844?

CVE-2025-11844 is a medium-severity vulnerability in Huggingface Huggingface/smolagents, classified under Improper Neutralization of Data within XPath Expressions (XPath Injection). CVSS score: 5.4/10. Published 2025-10-22.

How severe is CVE-2025-11844?

Medium severity. CVSS v3 base score is 5.4 out of 10.

Is CVE-2025-11844 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XPath Injection in Huggingface Huggingface/smolagents

CVE-2025-11844

Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supp…

EPSS: 0.001 (16.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.4 (Medium). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N.

Affected products

Huggingface Huggingface/smolagents — versions unspecified

Weakness classification (CWE)

CWE-643 — Improper Neutralization of Data within XPath Expressions (XPath Injection)

Public proof-of-concept exploits

SparshBiswas-AI/CVE-2025-11844-smolagents

References

Frequently asked questions

What is CVE-2025-11844?: CVE-2025-11844 is a medium-severity vulnerability in Huggingface Huggingface/smolagents, classified under Improper Neutralization of Data within XPath Expressions (XPath Injection). CVSS score: 5.4/10. Published 2025-10-22.
How severe is CVE-2025-11844?: Medium severity. CVSS v3 base score is 5.4 out of 10.
Is CVE-2025-11844 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.