PyPI package
octoprint
pkg:pypi/octoprint
Vulnerabilities (22)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-23892 | — | < 1.11.6 | 1.11.6 | Jan 27, 2026 | OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network. Due to using character based comparison that short-c | ||
| CVE-2025-64187 | — | < 1.11.4 | 1.11.4 | Nov 7, 2025 | OctoPrint provides a web interface for controlling consumer 3D printers. Versions 1.11.3 and below are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notifications and prompts popups generated by the printer. An attacker who | ||
| CVE-2025-58180 | — | < 1.11.3 | 1.11.3 | Sep 9, 2025 | OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an authenticated attacker to upload a file under a specially crafted filename that will allow arbitrary command execution | ||
| CVE-2025-48879 | — | < 1.11.2 | 1.11.2 | Jun 10, 2025 | OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. The issue can be triggered b | ||
| CVE-2025-48067 | — | < 1.11.2 | 1.11.2 | Jun 10, 2025 | OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving | ||
| CVE-2025-32788 | — | < 1.11.0 | 1.11.0 | Apr 22, 2025 | OctoPrint provides a web interface for controlling consumer 3D printers. In versions up to and including 1.10.3, OctoPrint has a vulnerability that allows an attacker to bypass the login redirect and directly access the rendered HTML of certain frontend pages. The primary risk li | ||
| CVE-2024-49377 | — | < 1.10.3 | 1.10.3 | Nov 5, 2024 | OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain reflected XSS vulnerabilities in the login dialog and the standalone application key confirmation dialog. An attacker who successfully talked a victi | ||
| CVE-2024-51493 | — | < 1.10.3 | 1.10.3 | Nov 5, 2024 | OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreat | ||
| CVE-2024-32977 | — | < 1.10.1 | 1.10.1 | May 14, 2024 | OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `conf | ||
| CVE-2024-28237 | — | < 1.10.0rc3 | 1.10.0rc3 | Mar 18, 2024 | OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with administrator rights into configuring a webcam snapshot URL which when | ||
| CVE-2024-23637 | — | < 1.10.0rc1 | 1.10.0rc1 | Jan 31, 2024 | OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed | ||
| CVE-2023-41047 | — | < 1.9.3 | 1.9.3 | Oct 9, 2023 | OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use t | ||
| CVE-2022-3607 | — | < 1.8.3 | 1.8.3 | Oct 19, 2022 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository octoprint/octoprint prior to 1.8.3. | ||
| CVE-2022-3068 | — | < 1.8.3 | 1.8.3 | Sep 21, 2022 | Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3. | ||
| CVE-2022-2888 | — | < 1.8.3 | 1.8.3 | Sep 21, 2022 | If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists. | ||
| CVE-2022-2872 | — | < 1.8.3 | 1.8.3 | Sep 21, 2022 | Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3. | ||
| CVE-2022-2930 | — | < 1.8.3 | 1.8.3 | Aug 22, 2022 | Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3. | ||
| CVE-2022-2822 | — | <= 1.7.3 | — | Aug 15, 2022 | An attacker can freely brute force username and password and can takeover any account. An attacker could easily guess user passwords and gain access to user and administrative accounts. | ||
| CVE-2022-1432 | — | < 1.8.0 | 1.8.0 | May 18, 2022 | Cross-site Scripting (XSS) - Generic in GitHub repository octoprint/octoprint prior to 1.8.0. | ||
| CVE-2022-1430 | — | < 1.8.0 | 1.8.0 | May 18, 2022 | Cross-site Scripting (XSS) - DOM in GitHub repository octoprint/octoprint prior to 1.8.0. |
- CVE-2026-23892Jan 27, 2026affected < 1.11.6fixed 1.11.6
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network. Due to using character based comparison that short-c
- CVE-2025-64187Nov 7, 2025affected < 1.11.4fixed 1.11.4
OctoPrint provides a web interface for controlling consumer 3D printers. Versions 1.11.3 and below are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notifications and prompts popups generated by the printer. An attacker who
- CVE-2025-58180Sep 9, 2025affected < 1.11.3fixed 1.11.3
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an authenticated attacker to upload a file under a specially crafted filename that will allow arbitrary command execution
- CVE-2025-48879Jun 10, 2025affected < 1.11.2fixed 1.11.2
OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. The issue can be triggered b
- CVE-2025-48067Jun 10, 2025affected < 1.11.2fixed 1.11.2
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving
- CVE-2025-32788Apr 22, 2025affected < 1.11.0fixed 1.11.0
OctoPrint provides a web interface for controlling consumer 3D printers. In versions up to and including 1.10.3, OctoPrint has a vulnerability that allows an attacker to bypass the login redirect and directly access the rendered HTML of certain frontend pages. The primary risk li
- CVE-2024-49377Nov 5, 2024affected < 1.10.3fixed 1.10.3
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain reflected XSS vulnerabilities in the login dialog and the standalone application key confirmation dialog. An attacker who successfully talked a victi
- CVE-2024-51493Nov 5, 2024affected < 1.10.3fixed 1.10.3
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreat
- CVE-2024-32977May 14, 2024affected < 1.10.1fixed 1.10.1
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `conf
- CVE-2024-28237Mar 18, 2024affected < 1.10.0rc3fixed 1.10.0rc3
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with administrator rights into configuring a webcam snapshot URL which when
- CVE-2024-23637Jan 31, 2024affected < 1.10.0rc1fixed 1.10.0rc1
OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed
- CVE-2023-41047Oct 9, 2023affected < 1.9.3fixed 1.9.3
OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use t
- CVE-2022-3607Oct 19, 2022affected < 1.8.3fixed 1.8.3
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository octoprint/octoprint prior to 1.8.3.
- CVE-2022-3068Sep 21, 2022affected < 1.8.3fixed 1.8.3
Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3.
- CVE-2022-2888Sep 21, 2022affected < 1.8.3fixed 1.8.3
If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists.
- CVE-2022-2872Sep 21, 2022affected < 1.8.3fixed 1.8.3
Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3.
- CVE-2022-2930Aug 22, 2022affected < 1.8.3fixed 1.8.3
Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3.
- CVE-2022-2822Aug 15, 2022affected <= 1.7.3
An attacker can freely brute force username and password and can takeover any account. An attacker could easily guess user passwords and gain access to user and administrative accounts.
- CVE-2022-1432May 18, 2022affected < 1.8.0fixed 1.8.0
Cross-site Scripting (XSS) - Generic in GitHub repository octoprint/octoprint prior to 1.8.0.
- CVE-2022-1430May 18, 2022affected < 1.8.0fixed 1.8.0
Cross-site Scripting (XSS) - DOM in GitHub repository octoprint/octoprint prior to 1.8.0.
Page 1 of 2