CVE-2026-35163: OctoPrint has XSS in its Suppressed Command Notifications

June 23, 2026

OctoPrint versions up to and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Suppressed Command notifications popups generated by the printer.

An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance.

References

github.com/OctoPrint/OctoPrint/security/advisories/GHSA-p6qx-ghxm-389h
github.com/advisories/GHSA-p6qx-ghxm-389h
nvd.nist.gov/vuln/detail/CVE-2026-35163

Code Behaviors & Features

Detect and mitigate CVE-2026-35163 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →