Tag
Flowise versions before 2.1.4 are critically vulnerable to configuration injection (CVE-2024-58351) via the `overrideConfig` option in both its frontend web integration and backend Prediction API, which, due to a bypassable `vm2` sandbox, allows attackers to achieve remote code execution, sandbox escape, denial of service, server-side request forgery, prompt injection, and server variable/data exfiltration.