Vendor
A critical server-side request forgery (SSRF) vulnerability, CVE-2026-15330, exists in zhayujie CowAgent up to version 2.1.1, allowing remote attackers to manipulate the 'image' argument in the Vision Tool component's `_build_image_content` or `_download_to_data_url` functions to access internal resources or conduct port scanning.