Suggestions search

Published

Filter by:

With package: windmill

Found 2 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-33881

updated 1 month ago by @LeSuisse Activity log

Created suggestion 1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

Windmill: Rogue Workspace Admins can inject code via unescaped workspace environment variable interpolation in NativeTS executor

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes in the NativeTS executor. A workspace admin who sets a custom environment variable with a value containing `'` can inject arbitrary JavaScript that executes inside every NativeTS script in that workspace. This is a code injection bug in `worker.rs`, not related to the sandbox/NSJAIL topic. Version 1.664.0 patches the issue.

References

https://github.com/windmill-labs/windmill/security/advisories/GHSA-8q8j-mm3g-5c2q x_refsource_CONFIRM

Affected products

windmill

==< 1.664.0

Matching in nixpkgs

pkgs.windmill

Open-source developer platform to turn scripts into workflows and UIs

nixos-unstable 1.601.1
- nixpkgs-unstable 1.601.1
- nixos-unstable-small 1.601.1
nixos-25.11 1.549.1
- nixos-25.11-small 1.549.1
- nixpkgs-25.11-darwin 1.549.1

Package maintainers

@dit7ya Mostly Void <7rat13@gmail.com>
@happysalada Raphael Megzari <raphael@megzari.com>

Advisory: https://github.com/windmill-labs/windmill/security/advisories/GHSA-8q8j-mm3g-5c2q

Permalink CVE-2026-29059

updated 1 month, 3 weeks ago by @mweinelt Activity log

Created suggestion 1 month, 3 weeks ago
@mweinelt accepted 1 month, 3 weeks ago
@mweinelt published on GitHub 1 month, 3 weeks ago

Windmill: SUPERADMIN_SECRET (rarely used) can be accessed publicly

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint "(/api/w/{workspace}/jobs_u/get_log_file/{filename})". The filename parameter is concatenated into a file path without sanitization, allowing an attacker to read arbitrary files on the server using ../ sequences. This issue has been patched in version 1.603.3.