CVE-2026-33881 in windmill-labs windmill
摘要 (英语)
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes in the NativeTS executor. A workspace admin who sets a custom environment variable with a value containing `'` can inject arbitrary JavaScript that executes inside every NativeTS script in that workspace. This is a code injection bug in `worker.rs`, not related to the sandbox/NSJAIL topic. Version 1.664.0 patches the issue.
负责
GitHub_M
预定
2026-03-24
披露
2026-03-27
条目
VulDB provides additional information and datapoints for this CVE:
| 标识符 | 漏洞 | CWE | 可利用 | 对策 | CVE |
|---|---|---|---|---|---|
| 354030 | windmill-labs windmill Environment Variable 权限提升 | 94 | 未定义 | 官方修复 | CVE-2026-33881 |