New release candidate: 2.0.0rc3

This third release candidate for the upcoming 2.0.0 release fixes several regressions that were reported with the first one, as well as some newly found bugs. It also improves on newly added functionality, and the two security issues just fixed in 1.11.x have also been fixed here:

🔒 Security fixes

• XSS in Suppressed Command Notifications, severity Moderate (4.6): OctoPrint versions up to and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 are affected by a vulnerability that allows injection of > arbitrary HTML and JavaScript into Suppressed Command notifications popups generated by the printer.

  An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance.

  See also the GitHub Security Advisory and CVE-2026-35163.

• File exfiltration possible via further parameter injection on upload endpoints, severity High (7.0): OctoPrint versions up until and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from. This vulnerability was already reported as GHSA-m9jh-jf9h-x3h2/CVE-2025-48067 but the fix provided in OctoPrint > 1.11.2 turned out to be incomplete.

  The primary risk lies in the potential exfiltration of secrets stored inside OctoPrint’s config, or further system files. By removing important runtime files, this could also be used to impact the availability of the host after an attempted server restart. Given that the attacker requires a user account with file upload permissions, the actual impact of this should however hopefully be minimal in most cases.

  See also the GitHub Security Advisory and CVE-2026-54134.

✨ Improvements

Core

• Added the used printer connector to various printer related events.

Core UI

• Add support for hiding non-stock marks on the temperature graph.
• Add “Printing” chart marker: shows start of actual job processing after initial preheating, leveling, etc.

Plugin Manager

• Add more filter options to the plugin repository browser: It’s now possible to filter out any plugins marked as commercial or AI developed.
• Add display of the ai-developed attribute added on the plugin repository.

🐛 Bug fixes

Core

• #5404 (regression): Fix “Hide successfully printed files” option in the file list breaking its processing due to JS errors inside the filter.
• #5419 (regression): Fix /api/job throwing an error in case of a non-int progress.
• #5421 (regression): Fix crash in Printer.get_current_temperatures when printer connector doesn’t support temperature offsets.
• PR#5422 (regression): Fix download filenames containing a ,
• (regression) Fix stopping and starting of analysis queue.
• Update gcode-thumbnail-tool to fix extraction of thumbnails generated by Creality Print 7.x
• Fix versioning without available tags.

Core UI

• Ensure temperature graph marks don’t wrap.

Gcode Viewer Plugin

• #5408 (regression): Fix syncing with job progress.

Serial Connector Plugin

• #5420: Fix thread leak when connecting to a serial port that doesn’t respond to the handshake attempts.

For heads-ups, highlights and fancy pictures, please see the earlier post about 2.0.0rc1.

You can find the full changelog and release notes as usual on GitHub.

Special thanks to everyone who contributed to this release candidate and provided full, analyzable bug reports, you help making the next release as stable as possible! And of course also thank you to everyone who helped fund the development that went into this release candidate!

A special Thank You! to this fine person for their PRs!

@jacopotediosi

Also another Thank you! to @jacopotediosi and @seankohjs for the responsible disclosure of vulnerabilities fixed in this release.

As the past RCs have shown me that a lot of people appear to be unaware of this: Please do not install this RC if you expect a fully stable version. It is not a stable release, it is a release candidate: severe bugs may occur, and they might be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should feel comfortable with and capable of possibly having to do this before installing an RC.

If you want to and can help test this release candidate, you can find information on how to switch to the "Release Candidates" release channel in this guide if not already done (also linked below).

Please provide feedback on this RC. For general feedback you can use this ticket on the tracker. The information that everything works fine for you is also valuable feedback 😄. For bug reports please follow How to file a bug report - I need logs and reproduction steps to fix issues, not just the information that something doesn't work so make sure to fill out all fields of the issue template.

While testing the release candidate, please take a closer look at these things:

• Proper behaviour when using the included web interface as well as any third party clients at your disposal.

• Printing via serial connection.

• Managing files on your printers storage via a serial connection.

• Blocklisted serial ports and/or baud rates are properly migrated to the serial connector (one per line, not comma-separated).

• If your printer’s disconnected state happens to be “after error”, please report back on which connector you used and what the reported error is.

• If you have a Klipper/Moonraker based printer available: can you use it through OctoPrint when you install the Moonraker Connector (work in progress)?

• If you have a Bambu based printer available: can you use it through OctoPrint when you install the Bambu Connector (work in progress)?

Thanks!

Depending on the feedback regarding this version I'll look into fixing any observed regressions and bugs and pushing out a follow-up version as soon as possible and necessary.

Links

• Ticket for general feedback
• Changelog and Release Notes
• FAQ entry "My OctoPrint update fails" (Read in case of any update problems!)
• How to use release channels to help test release candidate
• How to file a bug report
• Contribution Guidelines (also relevant for creating bug reports!)
• FAQ
• Documentation
• How to roll back to an earlier release (OctoPi)
• How to roll back to an earlier release (manual install)