Flowring AgentFlow 5 Vulnerabilities: Auth Bypass, Arbitrary File Upload, XSS (CVE-2026-2095 to 2099)

Flowring TVN ID: TVN-202606002 CVE ID: CVE-2026-2095, CVE-2026-2096, CVE-2026-2097, CVE-2026-2098, CVE-2026-2099 CVSS: CVE-2026-2095, CVE-2026-2096: 9.8 (Critical) CVE-2026-2097: 8.8 (High) CVE-2026-2098, CVE-2026-2099: 5.4 (Medium) Affected Products: CVE-2026-2095, CVE-2026-2096, CVE-2026-2097: Agentflow all versions CVE-2026-2098, CVE-2026-2099: Agentflow 4.0 Description: CVE-2026-2095 (Authentication Bypass): Unauthenticated remote attackers can exploit a specific functionality to obtain arbitrary user authentication tokens and log into the system as any user. CVE-2026-2096 (Missing Authentication): Unauthenticated remote attackers can read, modify, and delete database contents by exploiting a specific functionality. CVE-2026-2097 (Arbitrary File Upload): Authenticated remote attackers can upload and execute web shell backdoors, enabling arbitrary code execution on the server. CVE-2026-2098 (Reflected Cross-Site Scripting): Unauthenticated remote attackers can execute arbitrary JavaScript code in users' browsers via phishing attacks. CVE-2026-2099 (Stored Cross-Site Scripting): Authenticated remote attackers can inject persistent JavaScript code that executes in users' browsers when pages are loaded. Solution: CVE-2026-2095, CVE-2026-2096: Refer to the official instructions: Link CVE-2026-2097: Contact the vendor for appropriate mitigation measures. CVE-2026-2098, CVE-2026-2099: Upgrade to version 4.0.0.1878.877 or later. Credit: CVE-2026-2095, CVE-2026-2096, CVE-2026-2097: Sideman (DEVCORE) CVE-2026-2098, CVE-2026-2099: ChunHao Yang (CHTSecurity) Public Date: 2026-02-06 Links: 1. CVE-2026-2095 2. CVE-2026-2096 3. CVE-2026-2097 4. CVE-2026-2098 5. CVE-2026-2099

Goal Reached Thanks to every supporter — we hit 100%!

Flowring AgentFlow 5 Vulnerabilities: Auth Bypass, Arbitrary File Upload, XSS (CVE-2026-2095 to 2099)