CVE-2026-16194
zhayujie CowAgent web_fetch.py WebFetch.execute server-side request forgery
A vulnerability was determined in zhayujie CowAgent up to 2.1.1. This affects the function WebFetch.execute of the file agent/tools/web_fetch/web_fetch.py. Executing a manipulation of the argument url can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.1.2 is able to mitigate this issue. This patch is called ea47f3097eed4f8295c4cb3d76ecb97e0f43d632. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
| CWE | CWE-918 |
| Vendor | zhayujie |
| Product | cowagent |
| Published | Jul 18, 2026 |
Get instant alerts for zhayujie cowagent
Be the first to know when new medium vulnerabilities affecting zhayujie cowagent are published โ delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C