Home > Vulnerability Database > CVE-2025-64187

Mend.io Vulnerability Database

CVE-2025-64187

Good to know:

Date: November 6, 2025

OctoPrint provides a web interface for controlling consumer 3D printers. Versions 1.11.3 and below are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notifications and prompts popups generated by the printer. An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance. This issue is fixed in version 1.11.4.

Severity Score

6.1

Related Resources (5)

Url: https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-crvm-xjhm-9h29

Url: https://github.com/OctoPrint/OctoPrint

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-64187

Url: https://github.com/OctoPrint/OctoPrint/commit/9112e07b1085f4c1ee9eefc67985809251057a44

Url: https://www.mend.io/vulnerability-database/CVE-2025-64187

Severity Score

6.1

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-80

Top Fix

Upgrade Version

Upgrade to version octoprint - 1.11.4;https://github.com/OctoPrint/OctoPrint.git - 1.11.3

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-64187

Good to know:

Date: November 6, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?