CVE-2025-64187: 
Python vulnerability analysis and mitigation

OctoPrint versions up to and including 1.11.3 are affected by a Cross-Site Scripting (XSS) vulnerability (CVE-2025-64187) discovered on November 4, 2025. The vulnerability allows injection of arbitrary HTML and JavaScript into Action Command notification and prompt popups generated by the printer. This security issue affects two OctoPrint plugins: 'actioncommandnotification' and 'actioncommandprompt', which are designed to display messages from the printer in the OctoPrint web interface (GitHub Advisory).

The vulnerability is classified as CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) with a CVSS v4.0 score of 4.6 (Moderate). The root cause is the failure to properly sanitize user-controllable input that is rendered in a web context, specifically in the handling of messages and prompts originating from the printer. The vulnerable functions are anonymous callbacks in actioncommandnotification.js and actioncommandprompt.js that process untrusted data without proper HTML escaping (GitHub Commit).

An attacker who successfully convinces a victim to print a specially crafted file could exploit this vulnerability to disrupt ongoing prints, extract information (including sensitive configuration settings if the targeted user has the necessary permissions), or perform other actions on behalf of the targeted user within the OctoPrint instance (GitHub Advisory).

The vulnerability will be patched in version 1.11.4. As a temporary workaround, OctoPrint administrators can mitigate the risk by disabling popups: uncheck OctoPrint Settings -> Printer Notifications -> Enable popups for Action Command prompts, and set OctoPrint Settings -> Printer Dialogs -> Enable support -> Never. It is strongly recommended to ensure that files being printed originate from trusted sources and are sliced with your own slicer (GitHub Advisory).