๐Ÿ” CVE Alert

CVE-2026-15331

MEDIUM 5.4

zhayujie CowAgent Skill Installation service.py _add_package path traversal

CVSS Score
5.4
EPSS Score
0.4%
EPSS Percentile
30th

A vulnerability was identified in zhayujie CowAgent up to 2.1.0. The affected element is the function _add_url/_add_package of the file agent/skills/service.py of the component Skill Installation Handler. The manipulation of the argument Name leads to path traversal. The attack may be initiated remotely. Upgrading to version 2.1.2 is sufficient to fix this issue. The identifier of the patch is e85290cddcbb5ffc9c235927f4c92e5b4c3ec264. It is advisable to upgrade the affected component.

CWE CWE-22
Vendor zhayujie
Product cowagent
Published Jul 10, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for zhayujie cowagent

Be the first to know when new medium vulnerabilities affecting zhayujie cowagent are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

zhayujie / CowAgent
2.0 2.1.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
vuldb.com: https://vuldb.com/vuln/377274 vuldb.com: https://vuldb.com/vuln/377274/cti vuldb.com: https://vuldb.com/cve/CVE-2026-15331 vuldb.com: https://vuldb.com/submit/853104 github.com: https://github.com/zhayujie/CowAgent/issues/2873 github.com: https://github.com/zhayujie/CowAgent/pull/2886 github.com: https://github.com/zhayujie/CowAgent/commit/e85290cddcbb5ffc9c235927f4c92e5b4c3ec264 github.com: https://github.com/zhayujie/CowAgent/releases/tag/2.1.2 github.com: https://github.com/zhayujie/CowAgent/

Credits

๐Ÿ” Eric-x (VulDB User)