A vulnerability, which was classified as critical, has been found in zhayujie CowAgent up to 2.1.0. The affected element is the function
_add_url/_add_package of the file agent/skills/service.py of the component Skill Installation Handler. The manipulation of the argument Name leads to path traversal.
This vulnerability is listed as CVE-2026-15331. The attack may be initiated remotely. There is no available exploit.
It is advisable to upgrade the affected component.