Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/828126?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/828126?format=api", "purl": "pkg:pypi/octoprint@1.11.1", "type": "pypi", "namespace": "", "name": "octoprint", "version": "1.11.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.11.6", "latest_non_vulnerable_version": "1.11.6", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57441?format=api", "vulnerability_id": "VCID-dzbe-gru3-ukdn", "summary": "OctoPrint Vulnerable to Denial of Service through malformed HTTP request in OctoPrint\nOctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken `multipart/form-data` request to OctoPrint and through that make the web server component become unresponsive. This could be used to effectively run a denial of service attack on the OctoPrint server.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-48879", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14342", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14365", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14462", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14459", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14423", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-48879" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OctoPrint/OctoPrint" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint/commit/c9c35c17bd820f19c6b12e6c0359fc0cfdd0c1ec", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-10T15:57:28Z/" } ], "url": "https://github.com/OctoPrint/OctoPrint/commit/c9c35c17bd820f19c6b12e6c0359fc0cfdd0c1ec" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48879", "reference_id": "CVE-2025-48879", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48879" }, { "reference_url": "https://github.com/advisories/GHSA-9wj4-8h85-pgrw", "reference_id": "GHSA-9wj4-8h85-pgrw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9wj4-8h85-pgrw" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-9wj4-8h85-pgrw", "reference_id": "GHSA-9wj4-8h85-pgrw", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-10T15:57:28Z/" } ], "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-9wj4-8h85-pgrw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/85387?format=api", "purl": "pkg:pypi/octoprint@1.11.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-tbb9-a1vr-g3ct" }, { "vulnerability": "VCID-tpea-28hk-wkas" }, { "vulnerability": "VCID-xjzu-4qfa-z7e8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/octoprint@1.11.2" } ], "aliases": [ "CVE-2025-48879", "GHSA-9wj4-8h85-pgrw" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dzbe-gru3-ukdn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57438?format=api", "vulnerability_id": "VCID-s4s7-jh3k-k7g7", "summary": "OctoPrint vulnerable to possible file extraction via upload endpoints\nOctoPrint versions up until and including 1.11.1 contain a vulnerability that allows an attacker with the `FILE_UPLOAD` permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from.\n\nThe primary risk lies in the potential exfiltration of secrets stored inside OctoPrint's config, or further system files. By removing important runtime files, this could also be used to impact the availability of the host. Given that the attacker requires a user account with file upload permissions, the actual impact of this should however hopefully be minimal in most cases.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-48067", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27445", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27452", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27533", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27584", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27495", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-48067" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OctoPrint/OctoPrint" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint/commit/9984b20773f5895a432f965b759999b16c57f7d8", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-10T15:36:28Z/" } ], "url": "https://github.com/OctoPrint/OctoPrint/commit/9984b20773f5895a432f965b759999b16c57f7d8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48067", "reference_id": "CVE-2025-48067", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48067" }, { "reference_url": "https://github.com/advisories/GHSA-m9jh-jf9h-x3h2", "reference_id": "GHSA-m9jh-jf9h-x3h2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m9jh-jf9h-x3h2" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-m9jh-jf9h-x3h2", "reference_id": "GHSA-m9jh-jf9h-x3h2", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-10T15:36:28Z/" } ], "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-m9jh-jf9h-x3h2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/85387?format=api", "purl": "pkg:pypi/octoprint@1.11.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-tbb9-a1vr-g3ct" }, { "vulnerability": "VCID-tpea-28hk-wkas" }, { "vulnerability": "VCID-xjzu-4qfa-z7e8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/octoprint@1.11.2" } ], "aliases": [ "CVE-2025-48067", "GHSA-m9jh-jf9h-x3h2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s4s7-jh3k-k7g7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/58132?format=api", "vulnerability_id": "VCID-tbb9-a1vr-g3ct", "summary": "OctoPrint is Vulnerable to RCE Attacks via Unsanitized Filename in File Upload\nOctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an **authenticated** attacker to upload a file under a specially crafted filename that will allow arbitrary command execution if said filename becomes included in a command defined in a system event handler and said event gets triggered.\n\nIf no event handlers executing system commands with uploaded filenames as parameters have been configured, this vulnerability does not have an impact.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-58180", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02219", "scoring_system": "epss", "scoring_elements": "0.84813", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.02219", "scoring_system": "epss", "scoring_elements": "0.84816", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.02219", "scoring_system": "epss", "scoring_elements": "0.84801", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.02219", "scoring_system": "epss", "scoring_elements": "0.84812", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.02219", "scoring_system": "epss", "scoring_elements": "0.84818", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-58180" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OctoPrint/OctoPrint" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint/commit/be4201ef58d9a7c03593252398c16eada90a258b", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-09-10T13:59:03Z/" } ], "url": "https://github.com/OctoPrint/OctoPrint/commit/be4201ef58d9a7c03593252398c16eada90a258b" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint/commit/c3a940962f4658a8e035a00388781b1cbd768841", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-09-10T13:59:03Z/" } ], "url": "https://github.com/OctoPrint/OctoPrint/commit/c3a940962f4658a8e035a00388781b1cbd768841" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.11.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-09-10T13:59:03Z/" } ], "url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.11.3" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52476.txt", "reference_id": "CVE-2025-58180", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52476.txt" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58180", "reference_id": "CVE-2025-58180", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58180" }, { "reference_url": "https://github.com/advisories/GHSA-49mj-x8jp-qvfc", "reference_id": "GHSA-49mj-x8jp-qvfc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-49mj-x8jp-qvfc" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-49mj-x8jp-qvfc", "reference_id": "GHSA-49mj-x8jp-qvfc", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-09-10T13:59:03Z/" } ], "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-49mj-x8jp-qvfc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86509?format=api", "purl": "pkg:pypi/octoprint@1.11.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-tpea-28hk-wkas" }, { "vulnerability": "VCID-xjzu-4qfa-z7e8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/octoprint@1.11.3" } ], "aliases": [ "CVE-2025-58180", "GHSA-49mj-x8jp-qvfc" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tbb9-a1vr-g3ct" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48330?format=api", "vulnerability_id": "VCID-tpea-28hk-wkas", "summary": "OctoPrint vulnerable to XSS in Action Commands Notification and Prompt\nOctoPrint versions up to and including 1.11.3 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notification and prompt popups generated by the printer.\n\nAn attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-64187", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05141", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05146", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05103", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05147", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05161", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-64187" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OctoPrint/OctoPrint" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint/commit/9112e07b1085f4c1ee9eefc67985809251057a44", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-07T17:58:58Z/" } ], "url": "https://github.com/OctoPrint/OctoPrint/commit/9112e07b1085f4c1ee9eefc67985809251057a44" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64187", "reference_id": "CVE-2025-64187", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64187" }, { "reference_url": "https://github.com/advisories/GHSA-crvm-xjhm-9h29", "reference_id": "GHSA-crvm-xjhm-9h29", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-crvm-xjhm-9h29" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-crvm-xjhm-9h29", "reference_id": "GHSA-crvm-xjhm-9h29", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-07T17:58:58Z/" } ], "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-crvm-xjhm-9h29" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71330?format=api", "purl": "pkg:pypi/octoprint@1.11.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-xjzu-4qfa-z7e8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/octoprint@1.11.4" } ], "aliases": [ "CVE-2025-64187", "GHSA-crvm-xjhm-9h29" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tpea-28hk-wkas" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49858?format=api", "vulnerability_id": "VCID-xjzu-4qfa-z7e8", "summary": "OctoPrint has Timing Side-Channel Vulnerability in API Key Authentication\nOctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network.\n\nDue to using character based comparison that short-circuits on the first mismatched character during API key validation, rather than a cryptographical method with static runtime regardless of the point of mismatch, an attacker with network based access to an affected OctoPrint could extract API keys valid on the instance by measuring the response times of the denied access responses and guess an API key character by character.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23892", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03032", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03066", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03086", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03138", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03128", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23892" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/OctoPrint/OctoPrint" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint/commit/249fd80ab01bc4b7dabedff768230a0fb5d01a8c", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T19:13:25Z/" } ], "url": "https://github.com/OctoPrint/OctoPrint/commit/249fd80ab01bc4b7dabedff768230a0fb5d01a8c" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.11.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T19:13:25Z/" } ], "url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.11.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23892", "reference_id": "CVE-2026-23892", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23892" }, { "reference_url": "https://github.com/advisories/GHSA-xg4x-w2j3-57h6", "reference_id": "GHSA-xg4x-w2j3-57h6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xg4x-w2j3-57h6" }, { "reference_url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-xg4x-w2j3-57h6", "reference_id": "GHSA-xg4x-w2j3-57h6", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T19:13:25Z/" } ], "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-xg4x-w2j3-57h6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73636?format=api", "purl": "pkg:pypi/octoprint@1.11.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/octoprint@1.11.6" } ], "aliases": [ "CVE-2026-23892", "GHSA-xg4x-w2j3-57h6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xjzu-4qfa-z7e8" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/octoprint@1.11.1" }