How to fix CVE-2025-64187?

During next maintenance window: Identify affected systems and apply vendor patches when convenient. Vendor patch is available.

Is Octoprint affected by CVE-2025-64187?

CVE-2025-64187 presents moderate security risk rated CVSS 4.6. Exploitation could compromise the security of affected deployments. A patch is available and should be applied during regular vulnerability management.

CVE-2025-64187

MEDIUM

2025-11-07 [email protected]

4.6

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:20 vuln.today

Patch Released

Mar 28, 2026 - 19:20 nvd

Patch available

CVE Published

Nov 07, 2025 - 04:15 nvd

MEDIUM 4.6

Description

OctoPrint provides a web interface for controlling consumer 3D printers. Versions 1.11.3 and below are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notifications and prompts popups generated by the printer. An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance. This issue is fixed in version 1.11.4.

Analysis

OctoPrint provides a web interface for controlling consumer 3D printers. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity.

Technical Context

This vulnerability is classified under CWE-80. OctoPrint provides a web interface for controlling consumer 3D printers. Versions 1.11.3 and below are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notifications and prompts popups generated by the printer. An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance. This issue is fixed in version 1.11.4. Affected products include: Octoprint. Version information: version 1.11.4..

Affected Products

Octoprint.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +23

POC: 0

CVE-2025-64187 vulnerability details – vuln.today

Back

CVE-2025-64187

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-64187

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code