CVE-2026-33881 in windmill-labs windmill
요약 (영어)
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes in the NativeTS executor. A workspace admin who sets a custom environment variable with a value containing `'` can inject arbitrary JavaScript that executes inside every NativeTS script in that workspace. This is a code injection bug in `worker.rs`, not related to the sandbox/NSJAIL topic. Version 1.664.0 patches the issue.
책임이 있는
GitHub_M
예약하다
2026. 03. 24.
공개
2026. 03. 27.
엔트리
VulDB provides additional information and datapoints for this CVE:
| 아이디 | 취약성 | CWE | 악용 | 대책 | CVE |
|---|---|---|---|---|---|
| 354030 | windmill-labs windmill Environment Variable 권한 상승 | 94 | 정의되지 않음 | 공식 수정 | CVE-2026-33881 |