New release: 1.11.8

This release was made possible only through continued financial support by people like you!
Click here if you enjoy OctoPrint and want to help with its funding!

I would have preferred to continue to fully focus on the current RC phase for the upcoming 2.0.0 release, but I got two security reports and as one of these has a severity of High, I decided to push out yet another bugfix release for 1.11.x: 1.11.8 brings you fixes for the two security issues (which will also fixed in the 2.0.0 RC later today) as well as a fix for a long standing bug that was initially tagged as a regression on 2.0.0. Here’s the changelog:

🔒 Security fixes

• XSS in Suppressed Command Notifications, severity Moderate (4.6): OctoPrint versions up to and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 are affected by a vulnerability that allows injection of > arbitrary HTML and JavaScript into Suppressed Command notifications popups generated by the printer.

  An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance.

  See also the GitHub Security Advisory and CVE-2026-35163.

• File exfiltration possible via further parameter injection on upload endpoints, severity High (7.0): OctoPrint versions up until and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from. This vulnerability was already reported as GHSA-m9jh-jf9h-x3h2/CVE-2025-48067 but the fix provided in OctoPrint > 1.11.2 turned out to be incomplete.

  The primary risk lies in the potential exfiltration of secrets stored inside OctoPrint’s config, or further system files. By removing important runtime files, this could also be used to impact the availability of the host after an attempted server restart. Given that the attacker requires a user account with file upload permissions, the actual impact of this should however hopefully be minimal in most cases.

  See also the GitHub Security Advisory and CVE-2026-54134.

🐛 Bug fixes

• #5420: Fix thread leak when connecting to a serial port that doesn’t respond to the handshake attempts.

You can also take a look at the changelog on GitHub.

Like every single release (and release candidate) of OctoPrint ever since early 2016 this release was made possible only through continued financial support by people like you! 💕

Click here if you enjoy OctoPrint and want to help with its funding!

Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

Also make sure to check any of the heads-ups or plugin incompatibilities listed below.

Heads-ups

The heads-ups from 1.11.0 still apply, please read them carefully, they might impact you and how you use OctoPrint! Also see the Further Information and Links below for more information, where to find help and how to roll back.

The following heads-ups from earlier releases also still apply:

• 1.11.2
• 1.11.3

Thanks

Thanks to everyone who contributed to this bugfix release and provided full, analyzable bug reports, suggestions, feedback and - of course - funding!

A special Thank You! to this fine person for their PRs!

@jacopotediosi

Also another Thank you! to @jacopotediosi and @seankohjs for the responsible disclosure of vulnerabilities fixed in this release.

Further Information

If connected to the internet, OctoPrint will allow you to apply this update automatically via an update notification. It may take up to 24h for this notification to pop up, so don't be alarmed if it doesn't show up immediately after reading this. You can force the update however via Settings > Software Update > Advanced options > Force check for update.

If your update fails chances are high you are running into one of the common update issues listed with fixes here, so please go through that FAQ entry first.

If you have any problems with your OctoPrint installation, please seek support on the community forum.

Links

• Changelog and Release Notes
• FAQ entry "My OctoPrint update fails" (Read in case of any update problems!)
• Community forum
• Discord Server
• FAQ
• Documentation
• Contribution Guidelines (also relevant for creating bug reports!)
• How to file a bug report
• How to roll back to an earlier release (OctoPi)
• How to roll back to an earlier release (manual install)