CVE-2026-15330
zhayujie CowAgent Vision Tool vision.py _download_to_data_url server-side request forgery
CVSS Score
7.3
EPSS Score
0.4%
EPSS Percentile
27th
A vulnerability was determined in zhayujie CowAgent up to 2.1.1. Impacted is the function _build_image_content/_download_to_data_url of the file agent/tools/vision/vision.py of the component Vision Tool. Executing a manipulation of the argument image can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.1.2 is recommended to address this issue. This patch is called e85290cddcbb5ffc9c235927f4c92e5b4c3ec264. Upgrading the affected component is advised.
| CWE | CWE-918 |
| Vendor | zhayujie |
| Product | cowagent |
| Published | Jul 10, 2026 |
| Last Updated | Jul 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for zhayujie cowagent
Be the first to know when new high vulnerabilities affecting zhayujie cowagent are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
zhayujie / CowAgent
2.1.0 2.1.1
References
vuldb.com: https://vuldb.com/vuln/377273 vuldb.com: https://vuldb.com/vuln/377273/cti vuldb.com: https://vuldb.com/cve/CVE-2026-15330 vuldb.com: https://vuldb.com/submit/853103 github.com: https://github.com/zhayujie/CowAgent/issues/2872 github.com: https://github.com/zhayujie/CowAgent/pull/2886 github.com: https://github.com/zhayujie/CowAgent/commit/e85290cddcbb5ffc9c235927f4c92e5b4c3ec264 github.com: https://github.com/zhayujie/CowAgent/releases/tag/2.1.2 github.com: https://github.com/zhayujie/CowAgent/
Credits
๐ Eric-x (VulDB User)