Arbitrary Code Injection Vulnerability in OctoPrint Web Interface for 3D Printers
CVE-2025-64187

4.6MEDIUM

Key Information:

Vendor: Octoprint
Status: Octoprint
Vendor: CVE Published:; 7 November 2025

What is CVE-2025-64187?

OctoPrint, a popular web interface for managing 3D printers, is vulnerable to an issue that allows the injection of arbitrary HTML and JavaScript into Action Command notifications. This can be exploited by an attacker to manipulate the printer's actions by convincing a user to run a specially crafted file. Successful exploitation can lead to disruptions in print jobs, unauthorized information access, and potential misuse of user permissions within the OctoPrint platform. The vulnerability affects all versions of OctoPrint up to 1.11.3 but is resolved in version 1.11.4.

Affected Version(s)

OctoPrint < 1.11.4

References

https://github.com/OctoPrint/OctoPrint/security/advisorie...

x_refsource_CONFIRM

https://github.com/OctoPrint/OctoPrint/commit/9112e07b108...

x_refsource_MISC

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 7, 2025
Vulnerability Reserved
Oct 28, 2025

JSON

Octoprint

What is CVE-2025-64187?

Affected Version(s)

References

CVSS V4

Timeline