A vulnerability was found in zhayujie CowAgent up to 2.1.1. It has been declared as critical. This affects the function WebFetch.execute of the file agent/tools/web_fetch/web_fetch.py. Executing a manipulation of the argument url can lead to server-side request forgery. This vulnerability appears as CVE-2026-16194. The attack may be performed from remote. In addition, an exploit is available. It
Exploit
CVE-2026-16194
VulDB
Apply vendor security patch