New release: 1.11.4

This release was made possible only through continued financial support by people like you!
Click here if you enjoy OctoPrint and want to help with its funding!

Prepared in between working heavily on 1.12.0 that will bring native support for printer connection types other than serial, e.g. Moonraker/Klipper, this fourth bugfix release for 1.11.x fixes some bugs, security issues and user experience problems reported since the release of 1.11.0:

🔒 Security fixes

XSS in Action Commands Notification and Prompt, severity Moderate (4.6): OctoPrint versions up to and including 1.11.3 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Commands notification and prompt popups.

An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance.

If popups have been disabled for both Action Command notifications and prompts, this vulnerability does not have an impact.

See also the GitHub Security Advisory and CVE-2025-64187

Minor Security fixes

• Protected the execution of system commands with a reauthentication request.

✨ Features & improvements

Gcode Viewer Plugin

• Got rid of some unused calculations in the gcode parser, greatly improving loading performance.

Plugin Manager Plugin & Software Update Plugin

• #5204: The Plugin Manager and the Software Update Plugin will now detect if they are about to install an OctoPrint plugin that still uses the legacy setup.py that depends on octoprint_setuptools, and add necessary parameters to pip for installation to work even under pip >= 25.3 (specifically --no-build-isolation --use-pep517). This solves errors installing plugins when the pip version in OctoPrint’s virtual environment has been upgraded to 25.3 or newer. See also this FAQ item.

🐛 Bug fixes

Core

• #5193: Persist cache key used for file metadata in UI to reduce the likelihood of triggering a file data polling loop.
• #5199: Trigger the reload overlay when encountering a CSRF error during a server reconnect. That fixes the “Server Offline” error encountered when restoring from a backup.
• Pinned the psutil dependency less aggressively again, after a broken release was pulled by piwheels.
• Pinned the click dependency to a version below 8.3 due to breaking changes. This is a temporary solution for the 1.11.x release in particular, 1.12.0 will ship with full compatibility to current click releases again.
• Pinned the markupsafe dependency to <=3.0.2 under Python 3.9 and armv7 due to the stock Python 3 environment found on Debian Bullseye that matches these parameters containing a buggy toml library that can no longer parse the packaging file of recent releases.

You can also take a look at the changelog on GitHub.

Like every single release (and release candidate) of OctoPrint ever since early 2016 this release was made possible only through continued financial support by people like you! 💕

Click here if you enjoy OctoPrint and want to help with its funding!

Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

Also make sure to check any of the heads-ups or plugin incompatibilities listed below.

Heads-ups

The heads-ups from 1.11.0 still apply, please read them carefully, they might impact you and how you use OctoPrint! Also see the Further Information and Links below for more information, where to find help and how to roll back.

The following heads-ups from earlier releases also still apply:

• 1.11.2
• 1.11.3

Thanks

Thanks to everyone who contributed to this bugfix release and provided full, analyzable bug reports, suggestions, feedback and - of course - funding!

A special Thank You! to this fine person for their PRs!

@jacopotediosi

Also another Thank you! to @jacopotediosi for the responsible disclosure of vulnerabilities fixed in this release.

Further Information

If connected to the internet, OctoPrint will allow you to apply this update automatically via an update notification. It may take up to 24h for this notification to pop up, so don't be alarmed if it doesn't show up immediately after reading this. You can force the update however via Settings > Software Update > Advanced options > Force check for update.

If your update fails chances are high you are running into one of the common update issues listed with fixes here, so please go through that FAQ entry first.

If you have any problems with your OctoPrint installation, please seek support on the community forum.

Links

• Changelog and Release Notes
• FAQ entry "My OctoPrint update fails" (Read in case of any update problems!)
• Community forum
• Discord Server
• FAQ
• Documentation
• Contribution Guidelines (also relevant for creating bug reports!)
• How to file a bug report
• How to roll back to an earlier release (OctoPi)
• How to roll back to an earlier release (manual install)