Octoprint Security Vulnerabilities

CVE-2024-32977

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the autologinLocal option is enabled within config.yaml, even if they....

CVE-2024-28237

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with administrator rights into configuring a webcam snapshot URL which when tested through the....

CVE-2024-23637

OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an...

CVE-2023-41047

OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use this to extract...

CVE-2022-3607

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository octoprint/octoprint prior to...

CVE-2018-16710

OctoPrint through 1.3.9 allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests on port 8081. NOTE: the vendor disputes the significance of this report because their documentation states that with "blind port forwarding ... Putting OctoPrint onto the.....

CVE-2022-3068

Improper Privilege Management in GitHub repository octoprint/octoprint prior to...

CVE-2022-2888

If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account...

CVE-2022-2872

Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to...

CVE-2022-2930

Unverified Password Change in GitHub repository octoprint/octoprint prior to...

CVE-2022-2822

An attacker can freely brute force username and password and can takeover any account. An attacker could easily guess user passwords and gain access to user and administrative...

CVE-2022-1430

Cross-site Scripting (XSS) - DOM in GitHub repository octoprint/octoprint prior to...

CVE-2022-1432

Cross-site Scripting (XSS) - Generic in GitHub repository octoprint/octoprint prior to...

CVE-2021-32560

The Logging subsystem in OctoPrint before 1.6.0 has incorrect access control because it attempts to manage files that are not *.log...

CVE-2021-32561

OctoPrint before 1.6.0 allows XSS because API error messages include the values of input...