Search
Find a vulnerability
Search criteria
8 vulnerabilities found for CowAgent by zhayujie
CVE-2026-15332 (GCVE-0-2026-15332)
Vulnerability from nvd – Published: 2026-07-10 04:45 – Updated: 2026-07-10 15:17
VLAI
EPSS
VEX
Title
zhayujie CowAgent Message Endpoint channel.py authorization
Summary
A security flaw has been discovered in zhayujie CowAgent up to 2.1.0. The impacted element is an unknown function of the file channel/channel.py of the component Message Endpoint. The manipulation results in missing authorization. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377275 | vdb-entry |
| https://vuldb.com/vuln/377275/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15332 | third-party-advisory |
| https://vuldb.com/submit/853105 | third-party-advisory |
| https://github.com/zhayujie/CowAgent/issues/2874 | exploitissue-tracking |
| https://github.com/zhayujie/CowAgent/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15332",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T15:17:49.153601Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T15:17:55.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:zhayujie:cowagent:*:*:*:*:*:*:*:*"
],
"modules": [
"Message Endpoint"
],
"product": "CowAgent",
"vendor": "zhayujie",
"versions": [
{
"status": "affected",
"version": "2.0"
},
{
"status": "affected",
"version": "2.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-x (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in zhayujie CowAgent up to 2.1.0. The impacted element is an unknown function of the file channel/channel.py of the component Message Endpoint. The manipulation results in missing authorization. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T04:45:08.053Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377275 | zhayujie CowAgent Message Endpoint channel.py authorization",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/377275"
},
{
"name": "VDB-377275 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377275/cti"
},
{
"name": "CVE-2026-15332 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15332"
},
{
"name": "Submit #853105 | zhayujie CowAgent \u003c= 2.1.0 Missing Authorization (CWE-862)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/853105"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/zhayujie/CowAgent/issues/2874"
},
{
"tags": [
"product"
],
"url": "https://github.com/zhayujie/CowAgent/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:43:36.000Z",
"value": "VulDB entry last update"
}
],
"title": "zhayujie CowAgent Message Endpoint channel.py authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15332",
"datePublished": "2026-07-10T04:45:08.053Z",
"dateReserved": "2026-07-09T18:37:50.069Z",
"dateUpdated": "2026-07-10T15:17:55.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15331 (GCVE-0-2026-15331)
Vulnerability from nvd – Published: 2026-07-10 04:15 – Updated: 2026-07-10 14:26 X_Open Source
VLAI
EPSS
VEX
Title
zhayujie CowAgent Skill Installation service.py _add_package path traversal
Summary
A vulnerability was identified in zhayujie CowAgent up to 2.1.0. The affected element is the function _add_url/_add_package of the file agent/skills/service.py of the component Skill Installation Handler. The manipulation of the argument Name leads to path traversal. The attack may be initiated remotely. Upgrading to version 2.1.2 is sufficient to fix this issue. The identifier of the patch is e85290cddcbb5ffc9c235927f4c92e5b4c3ec264. It is advisable to upgrade the affected component.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Path Traversal
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377274 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377274/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15331 | third-party-advisory |
| https://vuldb.com/submit/853104 | third-party-advisory |
| https://github.com/zhayujie/CowAgent/issues/2873 | issue-tracking |
| https://github.com/zhayujie/CowAgent/pull/2886 | issue-trackingpatch |
| https://github.com/zhayujie/CowAgent/commit/e8529… | patch |
| https://github.com/zhayujie/CowAgent/releases/tag/2.1.2 | patch |
| https://github.com/zhayujie/CowAgent/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15331",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T14:26:26.657365Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:26:46.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/zhayujie/CowAgent/issues/2873"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:zhayujie:cowagent:*:*:*:*:*:*:*:*"
],
"modules": [
"Skill Installation Handler"
],
"product": "CowAgent",
"vendor": "zhayujie",
"versions": [
{
"status": "affected",
"version": "2.0"
},
{
"status": "affected",
"version": "2.1.0"
},
{
"status": "unaffected",
"version": "2.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-x (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in zhayujie CowAgent up to 2.1.0. The affected element is the function _add_url/_add_package of the file agent/skills/service.py of the component Skill Installation Handler. The manipulation of the argument Name leads to path traversal. The attack may be initiated remotely. Upgrading to version 2.1.2 is sufficient to fix this issue. The identifier of the patch is e85290cddcbb5ffc9c235927f4c92e5b4c3ec264. It is advisable to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T04:15:10.104Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377274 | zhayujie CowAgent Skill Installation service.py _add_package path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377274"
},
{
"name": "VDB-377274 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377274/cti"
},
{
"name": "CVE-2026-15331 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15331"
},
{
"name": "Submit #853104 | zhayujie CowAgent \u003c= 2.1.0 Improper Limitation of a Pathname to a Restricted Directory (CWE-22)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/853104"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/zhayujie/CowAgent/issues/2873"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/zhayujie/CowAgent/pull/2886"
},
{
"tags": [
"patch"
],
"url": "https://github.com/zhayujie/CowAgent/commit/e85290cddcbb5ffc9c235927f4c92e5b4c3ec264"
},
{
"tags": [
"patch"
],
"url": "https://github.com/zhayujie/CowAgent/releases/tag/2.1.2"
},
{
"tags": [
"product"
],
"url": "https://github.com/zhayujie/CowAgent/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:43:34.000Z",
"value": "VulDB entry last update"
}
],
"title": "zhayujie CowAgent Skill Installation service.py _add_package path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15331",
"datePublished": "2026-07-10T04:15:10.104Z",
"dateReserved": "2026-07-09T18:37:47.214Z",
"dateUpdated": "2026-07-10T14:26:46.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15330 (GCVE-0-2026-15330)
Vulnerability from nvd – Published: 2026-07-10 04:00 – Updated: 2026-07-10 20:31 X_Open Source
VLAI
EPSS
VEX
Title
zhayujie CowAgent Vision Tool vision.py _download_to_data_url server-side request forgery
Summary
A vulnerability was determined in zhayujie CowAgent up to 2.1.1. Impacted is the function _build_image_content/_download_to_data_url of the file agent/tools/vision/vision.py of the component Vision Tool. Executing a manipulation of the argument image can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.1.2 is recommended to address this issue. This patch is called e85290cddcbb5ffc9c235927f4c92e5b4c3ec264. Upgrading the affected component is advised.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377273 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377273/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15330 | third-party-advisory |
| https://vuldb.com/submit/853103 | third-party-advisory |
| https://github.com/zhayujie/CowAgent/issues/2872 | exploitissue-tracking |
| https://github.com/zhayujie/CowAgent/pull/2886 | issue-trackingpatch |
| https://github.com/zhayujie/CowAgent/commit/e8529… | patch |
| https://github.com/zhayujie/CowAgent/releases/tag/2.1.2 | patch |
| https://github.com/zhayujie/CowAgent/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15330",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T20:26:20.760065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:31:19.060Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:zhayujie:cowagent:*:*:*:*:*:*:*:*"
],
"modules": [
"Vision Tool"
],
"product": "CowAgent",
"vendor": "zhayujie",
"versions": [
{
"status": "affected",
"version": "2.1.0"
},
{
"status": "affected",
"version": "2.1.1"
},
{
"status": "unaffected",
"version": "2.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-x (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in zhayujie CowAgent up to 2.1.1. Impacted is the function _build_image_content/_download_to_data_url of the file agent/tools/vision/vision.py of the component Vision Tool. Executing a manipulation of the argument image can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.1.2 is recommended to address this issue. This patch is called e85290cddcbb5ffc9c235927f4c92e5b4c3ec264. Upgrading the affected component is advised."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T04:00:10.896Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377273 | zhayujie CowAgent Vision Tool vision.py _download_to_data_url server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377273"
},
{
"name": "VDB-377273 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377273/cti"
},
{
"name": "CVE-2026-15330 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15330"
},
{
"name": "Submit #853103 | zhayujie CowAgent \u003c= 2.1.0 Server-Side Request Forgery (CWE-918)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/853103"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/zhayujie/CowAgent/issues/2872"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/zhayujie/CowAgent/pull/2886"
},
{
"tags": [
"patch"
],
"url": "https://github.com/zhayujie/CowAgent/commit/e85290cddcbb5ffc9c235927f4c92e5b4c3ec264"
},
{
"tags": [
"patch"
],
"url": "https://github.com/zhayujie/CowAgent/releases/tag/2.1.2"
},
{
"tags": [
"product"
],
"url": "https://github.com/zhayujie/CowAgent/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:43:31.000Z",
"value": "VulDB entry last update"
}
],
"title": "zhayujie CowAgent Vision Tool vision.py _download_to_data_url server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15330",
"datePublished": "2026-07-10T04:00:10.896Z",
"dateReserved": "2026-07-09T18:37:44.563Z",
"dateUpdated": "2026-07-10T20:31:19.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15329 (GCVE-0-2026-15329)
Vulnerability from nvd – Published: 2026-07-10 03:30 – Updated: 2026-07-14 01:28
VLAI
EPSS
VEX
Title
zhayujie CowAgent Browser Tool browser_tool.py BrowserTool._do_navigate information disclosure
Summary
A vulnerability was found in zhayujie CowAgent up to 2.1.0. This issue affects the function BrowserTool._do_navigate of the file agent/tools/browser/browser_tool.py of the component Browser Tool. Performing a manipulation results in information disclosure. The attack can be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377272 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377272/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15329 | third-party-advisory |
| https://vuldb.com/submit/853098 | third-party-advisory |
| https://github.com/zhayujie/CowAgent/issues/2871 | exploitissue-tracking |
| https://github.com/zhayujie/CowAgent/issues/2871#… | issue-tracking |
| https://github.com/zhayujie/CowAgent/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15329",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T01:28:37.180527Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T01:28:47.883Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:zhayujie:cowagent:*:*:*:*:*:*:*:*"
],
"modules": [
"Browser Tool"
],
"product": "CowAgent",
"vendor": "zhayujie",
"versions": [
{
"status": "affected",
"version": "2.0"
},
{
"status": "affected",
"version": "2.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-x (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in zhayujie CowAgent up to 2.1.0. This issue affects the function BrowserTool._do_navigate of the file agent/tools/browser/browser_tool.py of the component Browser Tool. Performing a manipulation results in information disclosure. The attack can be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T03:30:08.320Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377272 | zhayujie CowAgent Browser Tool browser_tool.py BrowserTool._do_navigate information disclosure",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377272"
},
{
"name": "VDB-377272 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377272/cti"
},
{
"name": "CVE-2026-15329 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15329"
},
{
"name": "Submit #853098 | zhayujie CowAgent \u003c= 2.1.0 Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/853098"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/zhayujie/CowAgent/issues/2871"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/zhayujie/CowAgent/issues/2871#issuecomment-4922534422"
},
{
"tags": [
"product"
],
"url": "https://github.com/zhayujie/CowAgent/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:43:27.000Z",
"value": "VulDB entry last update"
}
],
"title": "zhayujie CowAgent Browser Tool browser_tool.py BrowserTool._do_navigate information disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15329",
"datePublished": "2026-07-10T03:30:08.320Z",
"dateReserved": "2026-07-09T18:37:41.980Z",
"dateUpdated": "2026-07-14T01:28:47.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15332 (GCVE-0-2026-15332)
Vulnerability from cvelistv5 – Published: 2026-07-10 04:45 – Updated: 2026-07-10 15:17
VLAI
EPSS
VEX
Title
zhayujie CowAgent Message Endpoint channel.py authorization
Summary
A security flaw has been discovered in zhayujie CowAgent up to 2.1.0. The impacted element is an unknown function of the file channel/channel.py of the component Message Endpoint. The manipulation results in missing authorization. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377275 | vdb-entry |
| https://vuldb.com/vuln/377275/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15332 | third-party-advisory |
| https://vuldb.com/submit/853105 | third-party-advisory |
| https://github.com/zhayujie/CowAgent/issues/2874 | exploitissue-tracking |
| https://github.com/zhayujie/CowAgent/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15332",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T15:17:49.153601Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T15:17:55.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:zhayujie:cowagent:*:*:*:*:*:*:*:*"
],
"modules": [
"Message Endpoint"
],
"product": "CowAgent",
"vendor": "zhayujie",
"versions": [
{
"status": "affected",
"version": "2.0"
},
{
"status": "affected",
"version": "2.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-x (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in zhayujie CowAgent up to 2.1.0. The impacted element is an unknown function of the file channel/channel.py of the component Message Endpoint. The manipulation results in missing authorization. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T04:45:08.053Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377275 | zhayujie CowAgent Message Endpoint channel.py authorization",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/377275"
},
{
"name": "VDB-377275 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377275/cti"
},
{
"name": "CVE-2026-15332 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15332"
},
{
"name": "Submit #853105 | zhayujie CowAgent \u003c= 2.1.0 Missing Authorization (CWE-862)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/853105"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/zhayujie/CowAgent/issues/2874"
},
{
"tags": [
"product"
],
"url": "https://github.com/zhayujie/CowAgent/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:43:36.000Z",
"value": "VulDB entry last update"
}
],
"title": "zhayujie CowAgent Message Endpoint channel.py authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15332",
"datePublished": "2026-07-10T04:45:08.053Z",
"dateReserved": "2026-07-09T18:37:50.069Z",
"dateUpdated": "2026-07-10T15:17:55.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15331 (GCVE-0-2026-15331)
Vulnerability from cvelistv5 – Published: 2026-07-10 04:15 – Updated: 2026-07-10 14:26 X_Open Source
VLAI
EPSS
VEX
Title
zhayujie CowAgent Skill Installation service.py _add_package path traversal
Summary
A vulnerability was identified in zhayujie CowAgent up to 2.1.0. The affected element is the function _add_url/_add_package of the file agent/skills/service.py of the component Skill Installation Handler. The manipulation of the argument Name leads to path traversal. The attack may be initiated remotely. Upgrading to version 2.1.2 is sufficient to fix this issue. The identifier of the patch is e85290cddcbb5ffc9c235927f4c92e5b4c3ec264. It is advisable to upgrade the affected component.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Path Traversal
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377274 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377274/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15331 | third-party-advisory |
| https://vuldb.com/submit/853104 | third-party-advisory |
| https://github.com/zhayujie/CowAgent/issues/2873 | issue-tracking |
| https://github.com/zhayujie/CowAgent/pull/2886 | issue-trackingpatch |
| https://github.com/zhayujie/CowAgent/commit/e8529… | patch |
| https://github.com/zhayujie/CowAgent/releases/tag/2.1.2 | patch |
| https://github.com/zhayujie/CowAgent/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15331",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T14:26:26.657365Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:26:46.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/zhayujie/CowAgent/issues/2873"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:zhayujie:cowagent:*:*:*:*:*:*:*:*"
],
"modules": [
"Skill Installation Handler"
],
"product": "CowAgent",
"vendor": "zhayujie",
"versions": [
{
"status": "affected",
"version": "2.0"
},
{
"status": "affected",
"version": "2.1.0"
},
{
"status": "unaffected",
"version": "2.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-x (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in zhayujie CowAgent up to 2.1.0. The affected element is the function _add_url/_add_package of the file agent/skills/service.py of the component Skill Installation Handler. The manipulation of the argument Name leads to path traversal. The attack may be initiated remotely. Upgrading to version 2.1.2 is sufficient to fix this issue. The identifier of the patch is e85290cddcbb5ffc9c235927f4c92e5b4c3ec264. It is advisable to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T04:15:10.104Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377274 | zhayujie CowAgent Skill Installation service.py _add_package path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377274"
},
{
"name": "VDB-377274 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377274/cti"
},
{
"name": "CVE-2026-15331 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15331"
},
{
"name": "Submit #853104 | zhayujie CowAgent \u003c= 2.1.0 Improper Limitation of a Pathname to a Restricted Directory (CWE-22)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/853104"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/zhayujie/CowAgent/issues/2873"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/zhayujie/CowAgent/pull/2886"
},
{
"tags": [
"patch"
],
"url": "https://github.com/zhayujie/CowAgent/commit/e85290cddcbb5ffc9c235927f4c92e5b4c3ec264"
},
{
"tags": [
"patch"
],
"url": "https://github.com/zhayujie/CowAgent/releases/tag/2.1.2"
},
{
"tags": [
"product"
],
"url": "https://github.com/zhayujie/CowAgent/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:43:34.000Z",
"value": "VulDB entry last update"
}
],
"title": "zhayujie CowAgent Skill Installation service.py _add_package path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15331",
"datePublished": "2026-07-10T04:15:10.104Z",
"dateReserved": "2026-07-09T18:37:47.214Z",
"dateUpdated": "2026-07-10T14:26:46.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15330 (GCVE-0-2026-15330)
Vulnerability from cvelistv5 – Published: 2026-07-10 04:00 – Updated: 2026-07-10 20:31 X_Open Source
VLAI
EPSS
VEX
Title
zhayujie CowAgent Vision Tool vision.py _download_to_data_url server-side request forgery
Summary
A vulnerability was determined in zhayujie CowAgent up to 2.1.1. Impacted is the function _build_image_content/_download_to_data_url of the file agent/tools/vision/vision.py of the component Vision Tool. Executing a manipulation of the argument image can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.1.2 is recommended to address this issue. This patch is called e85290cddcbb5ffc9c235927f4c92e5b4c3ec264. Upgrading the affected component is advised.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377273 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377273/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15330 | third-party-advisory |
| https://vuldb.com/submit/853103 | third-party-advisory |
| https://github.com/zhayujie/CowAgent/issues/2872 | exploitissue-tracking |
| https://github.com/zhayujie/CowAgent/pull/2886 | issue-trackingpatch |
| https://github.com/zhayujie/CowAgent/commit/e8529… | patch |
| https://github.com/zhayujie/CowAgent/releases/tag/2.1.2 | patch |
| https://github.com/zhayujie/CowAgent/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15330",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T20:26:20.760065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:31:19.060Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:zhayujie:cowagent:*:*:*:*:*:*:*:*"
],
"modules": [
"Vision Tool"
],
"product": "CowAgent",
"vendor": "zhayujie",
"versions": [
{
"status": "affected",
"version": "2.1.0"
},
{
"status": "affected",
"version": "2.1.1"
},
{
"status": "unaffected",
"version": "2.1.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-x (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in zhayujie CowAgent up to 2.1.1. Impacted is the function _build_image_content/_download_to_data_url of the file agent/tools/vision/vision.py of the component Vision Tool. Executing a manipulation of the argument image can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.1.2 is recommended to address this issue. This patch is called e85290cddcbb5ffc9c235927f4c92e5b4c3ec264. Upgrading the affected component is advised."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T04:00:10.896Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377273 | zhayujie CowAgent Vision Tool vision.py _download_to_data_url server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377273"
},
{
"name": "VDB-377273 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377273/cti"
},
{
"name": "CVE-2026-15330 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15330"
},
{
"name": "Submit #853103 | zhayujie CowAgent \u003c= 2.1.0 Server-Side Request Forgery (CWE-918)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/853103"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/zhayujie/CowAgent/issues/2872"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/zhayujie/CowAgent/pull/2886"
},
{
"tags": [
"patch"
],
"url": "https://github.com/zhayujie/CowAgent/commit/e85290cddcbb5ffc9c235927f4c92e5b4c3ec264"
},
{
"tags": [
"patch"
],
"url": "https://github.com/zhayujie/CowAgent/releases/tag/2.1.2"
},
{
"tags": [
"product"
],
"url": "https://github.com/zhayujie/CowAgent/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:43:31.000Z",
"value": "VulDB entry last update"
}
],
"title": "zhayujie CowAgent Vision Tool vision.py _download_to_data_url server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15330",
"datePublished": "2026-07-10T04:00:10.896Z",
"dateReserved": "2026-07-09T18:37:44.563Z",
"dateUpdated": "2026-07-10T20:31:19.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15329 (GCVE-0-2026-15329)
Vulnerability from cvelistv5 – Published: 2026-07-10 03:30 – Updated: 2026-07-14 01:28
VLAI
EPSS
VEX
Title
zhayujie CowAgent Browser Tool browser_tool.py BrowserTool._do_navigate information disclosure
Summary
A vulnerability was found in zhayujie CowAgent up to 2.1.0. This issue affects the function BrowserTool._do_navigate of the file agent/tools/browser/browser_tool.py of the component Browser Tool. Performing a manipulation results in information disclosure. The attack can be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377272 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377272/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15329 | third-party-advisory |
| https://vuldb.com/submit/853098 | third-party-advisory |
| https://github.com/zhayujie/CowAgent/issues/2871 | exploitissue-tracking |
| https://github.com/zhayujie/CowAgent/issues/2871#… | issue-tracking |
| https://github.com/zhayujie/CowAgent/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15329",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T01:28:37.180527Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T01:28:47.883Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:zhayujie:cowagent:*:*:*:*:*:*:*:*"
],
"modules": [
"Browser Tool"
],
"product": "CowAgent",
"vendor": "zhayujie",
"versions": [
{
"status": "affected",
"version": "2.0"
},
{
"status": "affected",
"version": "2.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-x (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in zhayujie CowAgent up to 2.1.0. This issue affects the function BrowserTool._do_navigate of the file agent/tools/browser/browser_tool.py of the component Browser Tool. Performing a manipulation results in information disclosure. The attack can be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T03:30:08.320Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377272 | zhayujie CowAgent Browser Tool browser_tool.py BrowserTool._do_navigate information disclosure",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377272"
},
{
"name": "VDB-377272 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377272/cti"
},
{
"name": "CVE-2026-15329 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15329"
},
{
"name": "Submit #853098 | zhayujie CowAgent \u003c= 2.1.0 Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/853098"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/zhayujie/CowAgent/issues/2871"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/zhayujie/CowAgent/issues/2871#issuecomment-4922534422"
},
{
"tags": [
"product"
],
"url": "https://github.com/zhayujie/CowAgent/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:43:27.000Z",
"value": "VulDB entry last update"
}
],
"title": "zhayujie CowAgent Browser Tool browser_tool.py BrowserTool._do_navigate information disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15329",
"datePublished": "2026-07-10T03:30:08.320Z",
"dateReserved": "2026-07-09T18:37:41.980Z",
"dateUpdated": "2026-07-14T01:28:47.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}