VYPR
Vendor

Windmill

Products
1
CVEs
7
Across products
7
Status
Private

Products

1

Recent CVEs

7
  • CVE-2026-23696CriApr 7, 2026
    risk 0.57cvss 9.9epss 0.05

    Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data…

  • CVE-2026-29059HigMar 6, 2026
    risk 0.51cvss 7.5epss 0.03

    Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Prior to version 1.603.3, an unauthenticated path traversal vulnerability exists in Windmill's get_log_file endpoint "(/api/w/{workspace}/jobs_u/get_log_file/{filename})".…

  • CVE-2026-22683HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.01

    Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or…

  • CVE-2026-47107HigMay 19, 2026
    risk 0.46cvss 8.1epss 0.00

    Windmill prior to 1.703.2 contains an incorrect default permissions vulnerability in nsjail sandbox configuration files where /etc is bind-mounted without read-write restrictions, allowing authenticated users to write arbitrary entries to /etc/hosts, /etc/resolv.conf, and…

  • CVE-2026-33881HigMar 27, 2026
    risk 0.40cvss 7.2epss 0.00

    Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes in the NativeTS executor. A workspace admin who sets a…

  • CVE-2024-8462LowSep 5, 2024
    risk 0.17cvss 3.7epss 0.01

    A vulnerability was found in Windmill 1.380.0. It has been classified as problematic. Affected is an unknown function of the file backend/windmill-api/src/users.rs of the component HTTP Request Handler. The manipulation leads to improper restriction of excessive authentication…

  • CVE-2026-26964LowFeb 20, 2026
    risk 0.11cvss 2.7epss 0.00

    Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET…