CVE-2026-33881
Windmill: Rogue Workspace Admins can inject code via unescaped workspace environment variable interpolation in NativeTS executor
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
13th
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes in the NativeTS executor. A workspace admin who sets a custom environment variable with a value containing `'` can inject arbitrary JavaScript that executes inside every NativeTS script in that workspace. This is a code injection bug in `worker.rs`, not related to the sandbox/NSJAIL topic. Version 1.664.0 patches the issue.
| CWE | CWE-94 |
| Vendor | windmill-labs |
| Product | windmill |
| Published | Mar 27, 2026 |
| Last Updated | Apr 1, 2026 |
Stay Ahead of the Next One
Get instant alerts for windmill-labs windmill
Be the first to know when new unknown vulnerabilities affecting windmill-labs windmill are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
windmill-labs / windmill
< 1.664.0