Windmill Dev Platform Suffers Critical Code Injection Flaw

/HIGH
SCW vulnerabilitycve
Windmill Dev Platform Suffers Critical Code Injection Flaw

CVE Notify has flagged a significant vulnerability within the popular open-source developer platform, Windmill. The issue, dubbed CVE-2026-33881, resides in the platform’s NativeTS executor. According to CVE Notify, environment variable values are being interpolated into JavaScript string literals without proper escaping for single quotes. This oversight allows a malicious workspace administrator to inject arbitrary JavaScript code. This injected code can then execute within any NativeTS script running in that specific workspace, posing a serious security risk.

CVE Notify clarifies that this is a code injection bug located in the worker.rs component, and it’s distinct from sandbox or NSJAIL-related security concerns. The vulnerability impacts Windmill’s ability to securely manage internal code, including APIs, background jobs, workflows, and user interfaces. The good news is that Windmill has already addressed this by releasing version 1.664.0, which includes a patch for this critical flaw.

What This Means For You

  • Organizations utilizing Windmill should immediately review their environment variable configurations and ensure all workspace administrators are trusted. Promptly update to version 1.664.0 or later to remediate this code injection vulnerability.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.001 PowerShell Execution T1574.002 DLL Side-Loading Persistence

πŸ›‘οΈ Detection Rules

1 rule Β· 6 SIEM formats

1 detection rule mapped to MITRE ATT&CK. Free Sigma YAML below.

high T1190 Initial Access

Web Application Exploitation Attempt β€” CVE-2026-33881

Sigma YAML β€” free preview

Source: Shimi's Cyber World Β· License & reuse

Indicators of Compromise

IDTypeIndicator
CVE-2026-33881 Code Injection Windmill version < 1.664.0, NativeTS executor, interpolation of environment variables into JavaScript string literals without escaping single quotes in worker.rs
CVE-2026-33881 Code Injection Windmill version < 1.664.0, affected component: NativeTS executor, vulnerability: arbitrary JavaScript injection via unescaped single quotes in environment variables

By Shimi's Cyber World Editorial

Related coverage

Featured

Daily Security Digest β€” 2026-05-22

13 vulnerability disclosures (5 Critical, 8 High) and 14 curated intelligence stories from 6 sources.

daily-digestvulnerabilityCVEhigh-severitycwe-88privilege-escalationcwe-863criticalremote-code-executioncwe-434
/SCW Daily Digest /CRITICAL

WordPress Ditty Plugin: Authorization Bypass Exposes Non-Public Content

CVE-2026-9011 β€” The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs

CVE-2026-8692 β€” The Vedrixa Forms – User Registration Form, Signup Form &

CVE-2026-8692 β€” The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma