Flowring TVN ID: TVN-202606002 CVE ID: CVE-2026-2095, CVE-2026-2096, CVE-2026-2097, CVE-2026-2098, CVE-2026-2099 CVSS: CVE-2026-2095, CVE-2026-2096: 9.8 (Critical) CVE-2026-2097: 8.8 (High) CVE-2026-2098, CVE-2026-2099: 5.4 (Medium) Affected Products: CVE-2026-2095, CVE-2026-2096, CVE-2026-2097: Agentflow all versions CVE-2026-2098, CVE-2026-2099: Agentflow 4.0 Description: CVE-2026-2095 (Authentication Bypass): Unauthenticated remote attackers can exploit a specific functionality to obtain arbitrary user authentication token and log into the system as any user. CVE-2026-2096 (Missing Authentication): Unauthenticated remote attackers can read, modify, and delete database contents by using a specific functionality. CVE-2026-2097 (Arbitrary File Upload): Authenticated remote attackers can upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. CVE-2026-2098 (Reflected Cross-Site Scripting): Unauthenticated remote attackers can execute arbitrary JavaScript codes in user's browser through phishing attacks. CVE-2026-2099 (Stored Cross-Site Scripting): Authenticated remote attackers can inject persistent JavaScript codes that are executed in users' browsers upon page load. Solution: CVE-2026-2095, CVE-2026-2096: Refer to the following official instructions: Link CVE-2026-2097: Contact the vendor for appropriate mitigation measures. CVE-2026-2098, CVE-2026-2099: Update to version 4.0.0.1878.877 and later. Credit: CVE-2026-2095, CVE-2026-2096, CVE-2026-2097: Sideman (DEVCORE) CVE-2026-2098, CVE-2026-2099: ChunHao Yang (CHTSecurity) Public Date: 2026-02-06 Links: 1. CVE-2026-2095 2. CVE-2026-2096 3. CVE-2026-2097 4. CVE-2026-2098 5. CVE-2026-2099