CVE-2026-15331
zhayujie CowAgent Skill Installation service.py _add_package path traversal
CVSS Score
5.4
EPSS Score
0.4%
EPSS Percentile
30th
A vulnerability was identified in zhayujie CowAgent up to 2.1.0. The affected element is the function _add_url/_add_package of the file agent/skills/service.py of the component Skill Installation Handler. The manipulation of the argument Name leads to path traversal. The attack may be initiated remotely. Upgrading to version 2.1.2 is sufficient to fix this issue. The identifier of the patch is e85290cddcbb5ffc9c235927f4c92e5b4c3ec264. It is advisable to upgrade the affected component.
| CWE | CWE-22 |
| Vendor | zhayujie |
| Product | cowagent |
| Published | Jul 10, 2026 |
| Last Updated | Jul 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for zhayujie cowagent
Be the first to know when new medium vulnerabilities affecting zhayujie cowagent are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
zhayujie / CowAgent
2.0 2.1.0
References
vuldb.com: https://vuldb.com/vuln/377274 vuldb.com: https://vuldb.com/vuln/377274/cti vuldb.com: https://vuldb.com/cve/CVE-2026-15331 vuldb.com: https://vuldb.com/submit/853104 github.com: https://github.com/zhayujie/CowAgent/issues/2873 github.com: https://github.com/zhayujie/CowAgent/pull/2886 github.com: https://github.com/zhayujie/CowAgent/commit/e85290cddcbb5ffc9c235927f4c92e5b4c3ec264 github.com: https://github.com/zhayujie/CowAgent/releases/tag/2.1.2 github.com: https://github.com/zhayujie/CowAgent/
Credits
๐ Eric-x (VulDB User)