CVE-2026-5998: A flaw has been found in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects the function dispatch of the file
Summary
A path traversal vulnerability (a weakness that lets attackers access files outside their intended directory) was found in the chatgpt-on-wechat CowAgent software version 2.0.4 and earlier, specifically in the memory API endpoint where it processes a filename argument. This flaw can be exploited remotely by attackers, and proof-of-concept code has already been published online.
Solution / Mitigation
Upgrading to version 2.0.5 mitigates this issue. The patch identifier is 174ee0cafc9e8e9d97a23c305418251485b8aa89.
Vulnerability Details
5.3(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
network
low
none
none
April 9, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-5998
First tracked: April 10, 2026 at 02:07 AM
Classified by LLM (prompt v3) · confidence: 85%