Security

Report a vulnerability

SECURITY.md

Security Policy

OctoPrint's security policy can be found here.

XSS in Action Commands Notification and Prompt
GHSA-crvm-xjhm-9h29 published Nov 4, 2025 by foosel

Moderate
RCE in OctoPrint via Unsanitized Filename in File Upload
GHSA-49mj-x8jp-qvfc published Sep 9, 2025 by foosel

High
Denial of Service through malformed HTTP request in OctoPrint
GHSA-9wj4-8h85-pgrw published Jun 10, 2025 by foosel

Moderate
File exfiltration possible via upload endpoints
GHSA-m9jh-jf9h-x3h2 published Jun 10, 2025 by foosel

Moderate
Authenticated Reverse Proxy Page Authentication Bypass
GHSA-qw93-h6pf-226x published Apr 22, 2025 by foosel

Moderate
API key access in settings without reauthentication
GHSA-cc6x-8cc7-9953 published Nov 5, 2024 by foosel

Moderate
Jinja2 Templates are vulnerable to XSS attacks due to their configuration in OctoPrint
GHSA-xvxq-g8hw-fx4g published Nov 5, 2024 by foosel

Moderate
Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled
GHSA-2vjq-hg5w-5gm7 published May 14, 2024 by foosel

High
XSS via the "Snapshot Test" feature in Classic Webcam plugin settings
GHSA-x7mf-wrh9-r76c published Mar 18, 2024 by foosel

Moderate
Unverified Password Change via Access Control Settings
GHSA-5626-pw9c-hmjr published Jan 31, 2024 by foosel

Moderate

Learn more about advisories related to OctoPrint/OctoPrint in the GitHub Advisory Database