CVE-2026-23892 OctoPrint has Timing Side-Channel Vulnerability in API Key Authentication

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up to and including 1.11.5 are affected by a theoretical timing attack vulnerability that allows API key extraction over the network. Due to using character based comparison that short-circuits on the firs...

OctoPrint security vulnerabilities

OctoPrint is an open-source application developed by OctoPrint. It provides a quick web interface for controlling consumer-grade 3D printers. Versions of OctoPrint prior to 1.11.5 have security vulnerabilities. These vulnerabilities stem from the use of character-based comparisons in API key...

CVE-2025-64187

OctoPrint provides a web interface for controlling consumer 3D printers. Versions 1.11.3 and below are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notifications and prompts popups generated by the printer. An attacker who successfully...

GHSA-CRVM-XJHM-9H29 OctoPrint vulnerable to XSS in Action Commands Notification and Prompt

Impact OctoPrint versions up to and including 1.11.3 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notification and prompt popups generated by the printer. An attacker who successfully convinces a victim to print a specially crafted fil...

Command Injection

OctoPrint is vulnerable to Command Injection. The vulnerability is due to improper handling of specially crafted filenames in uploaded files that can be included in system commands defined in event handlers, which allows an authenticated attacker to execute arbitrary commands when the correspondi...

EUVD-2025-17715

Malicious code in bioql PyPI...

EUVD-2025-17675

Malicious code in bioql PyPI...

EUVD-2025-27483

Malicious code in bioql PyPI...

EUVD-2024-0123

Malicious code in bioql PyPI...

EUVD-2025-12227

Malicious code in bioql PyPI...

EUVD-2023-0182

Malicious code in bioql PyPI...

EUVD-2024-0120

Malicious code in bioql PyPI...

EUVD-2024-0121

Malicious code in bioql PyPI...

OctoPrint is Vulnerable to RCE Attacks via Unsanitized Filename in File Upload

Impact OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an authenticated attacker to upload a file under a specially crafted filename that will allow arbitrary command execution if said filename becomes included in a command defined in a system event handler an...

Exploit for CVE-2025-58180

CVE-2025-58180 RCE in OctoPrint via Unsanitized Filename in Fi...

CVE-2025-48879

OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. The issue can be triggered by a broken...

CVE-2025-48067

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows an attacker with the FILEUPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the...

Denial Of Service (DoS)

octoprint is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of malformed multipart/form-data requests due to an endless loop triggered by a missing end boundary, which causes the single-threaded Tornado web server to become unresponsive...

Arbitrary File Exfiltration

octoprint is vulnerable to Arbitrary file exfiltration. The vulnerability is due to insufficient restrictions on file movement by users with FILEUPLOAD permission, allowing files readable by OctoPrint to be moved into the upload folder and downloaded...

OctoPrint Vulnerable to Denial of Service through malformed HTTP request in OctoPrint

Impact OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. This could be used to effectively run ...