Cross-site Scripting (XSS) - DOM in octoprint/octoprint
Description
Cross-site Scripting (XSS) - DOM in GitHub repository octoprint/octoprint prior to 1.8.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A DOM-based XSS vulnerability in OctoPrint prior to 1.8.0 allows remote attackers to inject arbitrary JavaScript via manipulated URL fragments or query parameters.
Vulnerability
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in OctoPrint versions prior to 1.8.0. The flaw is triggered when user-controlled input from URL fragments or query parameters is improperly handled by client-side JavaScript, allowing the injection of arbitrary scripts into the page context. No special configuration is required beyond having an authenticated user visit a crafted link.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing a specially designed fragment or query string that, when accessed by a logged-in OctoPrint user, causes the user's browser to execute arbitrary JavaScript in the context of the OctoPrint web interface. No authentication is required besides the victim being logged in to the OctoPrint application; the attacker does not need any prior access to the system.
Impact
Successful exploitation leads to DOM-based XSS, enabling an attacker to perform actions on behalf of the victim user, such as modifying printer settings, exfiltrating session tokens, or displaying false status messages. This could compromise the confidentiality and integrity of the OctoPrint installation, and in some cases lead to arbitrary code execution if further browser-based attacks are chained.
Mitigation
The vulnerability is fixed in OctoPrint version 1.8.0 [1][2]. Users are strongly advised to upgrade to this version or later. No workarounds are documented in the available references. The vulnerability has been assigned CVE-2022-1430 and is tracked by huntr.dev [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OctoPrintPyPI | < 1.8.0 | 1.8.0 |
Affected products
2- octoprint/octoprint/octoprintv5Range: unspecified
Patches
18087528e4a7d🔒️ Sanitize and validate login redirect
1 file changed · +11 −1
src/octoprint/server/views.py+11 −1 modified@@ -8,6 +8,7 @@ import os import re from collections import defaultdict +from urllib.parse import urlparse from flask import ( Response, @@ -170,7 +171,16 @@ def _add_additional_assets(hook): def login(): from flask_login import current_user - redirect_url = request.args.get("redirect", request.script_root + url_for("index")) + default_redirect_url = request.script_root + url_for("index") + redirect_url = request.args.get("redirect", default_redirect_url) + + parsed = urlparse(redirect_url) # check if redirect url is valid + if parsed.scheme != "" or parsed.netloc != "": + _logger.warning( + f"Got an invalid redirect URL with the login attempt, misconfiguration or attack attempt: {redirect_url}" + ) + redirect_url = default_redirect_url + permissions = sorted( filter( lambda x: x is not None and isinstance(x, OctoPrintPermission),
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-x7r7-wmj8-vv5gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-1430ghsaADVISORY
- github.com/octoprint/octoprint/commit/8087528e4a7ddd15c7d95ff662deb5ef7de90045ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2022-200.yamlghsaWEB
- huntr.dev/bounties/0cd30d71-1e32-4a0b-b4c3-faaa1907b541ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.