CVE-2026-2099 MEDIUM

CVE-2026-2099: Flowring｜AgentFlow - Stored Cross-Site Scripting

Vendor Flowring

Product AgentFlow

Weakness CWE-79 · XSS

Published February 10, 2026

Last update February 10, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

AgentFlow developed by Flowring has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load.

Key dates

02Disclosure timeline

February 10, 2026 CVE published

February 10, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-2099

Related vulnerabilities

04Related CVE

CVE-2024-51890 WordPress Geoportail Shortcode plugin <= 2.4.4 - Stored Cross Site Scripting (XSS) vulnerability CVE-2024-3952 Advanced Ads – Ad Manager & AdSense <= 1.52.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Ad Widget CVE-2024-45478 Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input CVE-2024-33604 BIG-IP Configuration utility XSS vulnerability CVE-2017-12292