Skip to main content

Octopus Server CVE-2026-8296

| EUVDEUVD-2026-38000 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-19 Octopus GHSA-vwwv-2j8q-wf75
5.6
CVSS 4.0 · Vendor: Octopus
Share

Severity by source

Vendor (Octopus) PRIMARY
5.6 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.2 MEDIUM

High privileges and active victim interaction required; scope unchanged with confidentiality-only impact matching session theft via stored XSS.

3.1 AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Octopus).

CVSS VectorVendor: Octopus

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jun 19, 2026 - 11:31 EUVD
Analysis Generated
Jun 19, 2026 - 10:02 vuln.today

DescriptionCVE.org

In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting Payload via artifacts.

AnalysisAI

Stored Cross-Site Scripting in Octopus Server allows authenticated high-privilege users to embed malicious JavaScript payloads through the artifact upload mechanism, which execute in the browsers of other users who interact with the affected artifact. The CVSS 4.0 vector (PR:H, UI:A, VC:H) confirms exploitation requires elevated access and victim interaction, with the primary impact being confidentiality - likely session token or credential theft. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with high-privilege Octopus Server account
Delivery
Craft artifact containing embedded XSS payload
Exploit
Upload artifact to target deployment or runbook
Execution
Victim user views artifact in Octopus Server web UI
Persist
XSS payload executes in victim browser
Impact
Session token or credentials exfiltrated to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a high-privilege account on Octopus Server with permission to create or upload artifacts (PR:H per CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.6 (Medium) accurately reflects a vulnerability with meaningful confidentiality impact but layered prerequisites that substantially reduce exploitability in practice. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or legitimately holds a high-privilege Octopus Server account (e.g., a deployment engineer or compromised service account) uploads an artifact to a deployment or runbook containing a crafted filename or embedded content with an XSS payload. When a target user - such as an operations engineer or security reviewer - views the deployment summary or artifact listing in their browser, the payload executes and exfiltrates their session cookie to an attacker-controlled endpoint, enabling session hijacking without requiring the attacker to know the victim's credentials.
Remediation Consult the Octopus Deploy vendor advisory at https://advisories.octopus.com/post/2026/sa2026-05 for the confirmed patched release version - no specific fix version number was included in the available intelligence data so none is cited here. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2018-18850 HIGH POC
8.8 Oct 31

In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment

CVE-2019-11632 HIGH POC
8.1 May 01

In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUn

CVE-2022-2572 CRITICAL
9.8 Nov 01

In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible t

CVE-2022-2778 CRITICAL
9.8 Sep 30

In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. Rated critical

CVE-2018-11320 CRITICAL
9.8 May 21

In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive va

CVE-2026-0704 CRITICAL
9.1 Feb 25

Path traversal in Octopus Deploy allows removing files and file contents on the host through API manipulation. Enables d

CVE-2022-2782 CRITICAL
9.1 Oct 27

In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper valid

CVE-2024-9194 HIGH
8.7 Sep 30

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsof

CVE-2022-2780 HIGH
8.1 Oct 14

In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to in

CVE-2021-26556 HIGH
7.8 Oct 07

When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an

CVE-2024-2975 HIGH
7.5 Apr 09

A race condition was identified through which privilege escalation was possible in certain configurations. Rated high se

CVE-2023-1904 HIGH
7.5 Dec 14

In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the

Share

CVE-2026-8296 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy