As one of the core technologies forWebapplication vulnerability detection, Static Application Security Testing (SAST) has achieved widespread industrial adoption. However, existing static analysis tools face significant challenges in handling complex logical structures inherent in modern Web applications, such as asynchronous request patterns and multi-source input semantics, due to limitations in underlying design of taint analysis algorithm. To address this issue, this study proposes a multi-data flow analysis method designed for static detections of Web security vulnerabilities. The approach extends traditional taint analysis capabilities through multi-dimensional enhancements to improve both detection performance and generalization: Vertically, a multi-stage data flow analysis is introduced to comprehensively consider data dependencies across different control flow paths through correlation and iterative algorithms. Horizontally, a multi-tag data flow analysis mechanism is implemented to distinguish different input sources via taint tags, thereby capturing finer-grained program context semantics and enhancing detection accuracy. Based on this methodology, a vulnerability detection prototype system named MultiFlow has been developed for Java/JavaScript Web applications. Experimental evaluations demonstrate that MultiFlow’s multi-data flow analysis achieves significant effectiveness on a dataset containing 60 real-world Web applications and third-party libraies, attaining precision rates of 87.18%,75.00%, and 83.72% respectively for Stored XSS, Broken Access Control and Prototype Pollution, and has obtained 8 CVE IDs. Compared with existing approaches, MultiFlow achieves higher precision and recall metrics with reduced analysis overhead, thereby validating its practical applicability.