Share
## https://sploitus.com/exploit?id=587EFE8F-1A85-5F36-9FAF-C184F3F91B62
# ๐ Smolagents XPath Injection Simulation Framework (CVE-2025-11844)
An educational auditing sandbox and dynamic proof-of-concept scanner demonstrating the XPath Injection vulnerability found within Hugging Face's `smolagents` library (up to version 1.2.0).
---
## ๐ Vulnerability Profile
| Metric | Details |
| :--- | :--- |
| **CVE ID** | CVE-2025-11844 |
| **Target Component** | `search_item_ctrl_f` function inside `vision_web_browser.py` |
| **Vulnerability Type** | Improper Input Validation -> XPath Injection / DOM Breakout |
| **Impact Scope** | Local Data Extraction, Information Disclosure, Arbitrary DOM Traversal |
### ๐จ Attack Vector Analysis
The target framework uses an un-sanitized string directly inside an internal XPath querying function:
```xpath
//*[contains(text(), 'USER_INPUT_HERE')]