CVE-2026-33881

Name of the Vulnerable Software and Affected Versions Windmill versions prior to 1.664.0

Description Windmill, a developer platform for internal code including APIs, background jobs, workflows, and UIs, is affected by a code injection issue. Workspace environment variable values are interpolated into JavaScript string literals without proper escaping of single quotes within the NativeTS executor. A workspace administrator can exploit this by setting a custom environment variable containing a single quote (') to inject arbitrary JavaScript code. This injected code will then execute within every NativeTS script in that workspace. The issue resides in the worker.rs file and is not related to sandboxing or NSJAIL.

Recommendations Update to version 1.664.0 or later.