Skip to main content

Agentflow

10 CVEs product

Monthly

CVE-2026-7439 MEDIUM PATCH This Month

AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs/validate endpoints without enforcing application/json validation, allowing attackers to bypass trust-boundary enforcement on sensitive operations. Attackers can exploit this content-type validation weakness through browser-driven or local cross-origin requests to abuse the localhost API and enable attack chains against the local control plane.

Information Disclosure Agentflow
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-2099 MEDIUM This Month

Authenticated attackers can inject malicious JavaScript into Flowring's AgentFlow platform that persists and executes in other users' browsers when they load affected pages, potentially compromising user sessions and data. This stored cross-site scripting vulnerability affects the AI/ML and Agentflow products and requires user interaction to trigger, though no patch is currently available.

XSS AI / ML Agentflow
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2098 MEDIUM This Month

Reflected XSS in AgentFlow enables unauthenticated attackers to inject malicious JavaScript that executes in victims' browsers during phishing campaigns, potentially compromising user sessions and data. The vulnerability affects the AI/ML platform with no patch currently available, requiring users to rely on defensive measures such as email filtering and user awareness training.

XSS AI / ML Agentflow
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2097 HIGH This Week

Agentflow versions up to - is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

File Upload RCE AI / ML Agentflow
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-2096 CRITICAL Act Now

Missing authentication in Flowring Agentflow allows unauthenticated attackers to read, modify, and delete data. Second auth bypass CVE.

Authentication Bypass AI / ML Agentflow
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-2095 CRITICAL Act Now

Authentication bypass in Flowring Agentflow workflow system allows unauthenticated remote attackers to exploit specific functions. EPSS 0.63%.

Authentication Bypass Agentflow
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-3709 CRITICAL Act Now

Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Agentflow
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2022-39038 HIGH This Week

Agentflow BPM enterprise management system has improper authentication. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Agentflow
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2022-39037 HIGH This Week

Agentflow BPM file download function has a path traversal vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Agentflow
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-39036 CRITICAL Act Now

The file upload function of Agentflow BPM has insufficient filtering for special characters in URLs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Agentflow
NVD
CVSS 3.1
9.8
EPSS
1.2%
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs/validate endpoints without enforcing application/json validation, allowing attackers to bypass trust-boundary enforcement on sensitive operations. Attackers can exploit this content-type validation weakness through browser-driven or local cross-origin requests to abuse the localhost API and enable attack chains against the local control plane.

Information Disclosure Agentflow
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Authenticated attackers can inject malicious JavaScript into Flowring's AgentFlow platform that persists and executes in other users' browsers when they load affected pages, potentially compromising user sessions and data. This stored cross-site scripting vulnerability affects the AI/ML and Agentflow products and requires user interaction to trigger, though no patch is currently available.

XSS AI / ML Agentflow
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in AgentFlow enables unauthenticated attackers to inject malicious JavaScript that executes in victims' browsers during phishing campaigns, potentially compromising user sessions and data. The vulnerability affects the AI/ML platform with no patch currently available, requiring users to rely on defensive measures such as email filtering and user awareness training.

XSS AI / ML Agentflow
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Agentflow versions up to - is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

File Upload RCE AI / ML +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Missing authentication in Flowring Agentflow allows unauthenticated attackers to read, modify, and delete data. Second auth bypass CVE.

Authentication Bypass AI / ML Agentflow
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Authentication bypass in Flowring Agentflow workflow system allows unauthenticated remote attackers to exploit specific functions. EPSS 0.63%.

Authentication Bypass Agentflow
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Agentflow
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Agentflow BPM enterprise management system has improper authentication. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Agentflow
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Agentflow BPM file download function has a path traversal vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Agentflow
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The file upload function of Agentflow BPM has insufficient filtering for special characters in URLs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Agentflow
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy