OctoPrint prior to 1.6.0 allows XSS because API error messages include the values of input parameters.
octoprint octoprint