CVE-2025-64187: OctoPrint vulnerable to XSS in Action Commands Notification and Prompt

November 4, 2025 (updated November 7, 2025)

OctoPrint versions up to and including 1.11.3 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notification and prompt popups generated by the printer.

An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance.

References

github.com/OctoPrint/OctoPrint
github.com/OctoPrint/OctoPrint/commit/9112e07b1085f4c1ee9eefc67985809251057a44
github.com/OctoPrint/OctoPrint/security/advisories/GHSA-crvm-xjhm-9h29
github.com/advisories/GHSA-crvm-xjhm-9h29
nvd.nist.gov/vuln/detail/CVE-2025-64187

Code Behaviors & Features

Detect and mitigate CVE-2025-64187 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →