Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable but requires authenticated access (PR:L); impact limited strictly to low confidentiality disclosure with no integrity, availability, or scope-change impact.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was found in zhayujie CowAgent up to 2.1.0. This issue affects the function BrowserTool._do_navigate of the file agent/tools/browser/browser_tool.py of the component Browser Tool. Performing a manipulation results in information disclosure. The attack can be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Information disclosure in zhayujie CowAgent up to version 2.1.0 exposes sensitive data to low-privileged authenticated remote attackers through the BrowserTool._do_navigate function in the Browser Tool component. Publicly available proof-of-concept exploit code exists via a GitHub issue report, though no patch has been released as the project maintainer has not yet responded to responsible disclosure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires low-privileged authentication (CVSS 4.0 PR:L) - the attacker must hold a valid account or active session within the CowAgent system; unauthenticated exploitation is not possible per the confirmed CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 2.1 accurately reflects a low-severity finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user with a low-privilege account on a CowAgent deployment sends a crafted request targeting the BrowserTool._do_navigate function, triggering the information disclosure flaw. Using the publicly available proof-of-concept documented at https://github.com/zhayujie/CowAgent/issues/2871, even a low-skill attacker can reproduce the issue and retrieve internal navigation state, session data, or other sensitive information the function improperly exposes. |
| Remediation | No vendor-released patch has been identified at time of analysis; the project maintainer has not responded to the issue report filed at https://github.com/zhayujie/CowAgent/issues/2871. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42783
GHSA-xgqv-jcxf-qp28