Skip to main content

Octopus Server

50 CVEs product

Monthly

CVE-2026-8296 MEDIUM PATCH This Month

Stored Cross-Site Scripting in Octopus Server allows authenticated high-privilege users to embed malicious JavaScript payloads through the artifact upload mechanism, which execute in the browsers of other users who interact with the affected artifact. The CVSS 4.0 vector (PR:H, UI:A, VC:H) confirms exploitation requires elevated access and victim interaction, with the primary impact being confidentiality - likely session token or credential theft. No public exploit code exists and the vulnerability has not been added to the CISA KEV catalog at time of analysis.

XSS Octopus Server
NVD VulDB
CVSS 4.0
5.6
EPSS
0.2%
CVE-2026-4881 MEDIUM POC PATCH This Month

Server-level configuration changes can be made by any authenticated low-privilege user in Octopus Server through a specific API endpoint that fails to enforce authorization correctly, despite returning an error response to the caller. The flaw affects multiple active release lines - 2026.1.x, 2025.4.x, and 2023.x - and carries a CVSS 4.0 score of 6.0 with high availability impact on the vulnerable system. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Octopus Server
NVD VulDB GitHub
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-3237 LOW PATCH Monitor

A security vulnerability in affected (CVSS 2.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Octopus Server
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-3236 MEDIUM This Month

Octopus Server allows authenticated attackers to generate new API keys from existing access tokens with extended lifetimes that exceed the original token's validity period. This token lifetime extension vulnerability (CWE-863) could enable attackers with valid credentials to maintain persistent access beyond intended restrictions. The vulnerability affects Octopus Server with no patch currently available.

Authentication Bypass Octopus Server
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0704 CRITICAL Act Now

Path traversal in Octopus Deploy allows removing files and file contents on the host through API manipulation. Enables data destruction on the deployment server.

Path Traversal Octopus Server
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-0539 MEDIUM This Month

In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Microsoft SSRF Octopus Server Windows
NVD
CVSS 4.0
5.9
EPSS
0.1%
CVE-2025-0588 MEDIUM This Month

In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Denial Of Service Octopus Server
NVD
CVSS 4.0
5.9
EPSS
0.4%
CVE-2025-0526 LOW Monitor

In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Octopus Server
NVD
CVSS 4.0
2.3
EPSS
0.1%
CVE-2025-0513 LOW Monitor

In affected versions of Octopus Server error messages were handled unsafely on the error page. Rated low severity (CVSS 1.8), this vulnerability is remotely exploitable. No vendor patch available.

XSS Octopus Server
NVD
CVSS 4.0
1.8
EPSS
0.1%
CVE-2025-0525 LOW Monitor

In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
CVSS 4.0
2.3
EPSS
0.2%
CVE-2025-0589 MEDIUM This Month

In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
CVSS 4.0
6.9
EPSS
0.3%
CVE-2024-9194 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsoft Windows Octopus Server on Windows, Linux allows SQL Injection.1.0 before. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Microsoft Octopus Server
NVD
CVSS 4.0
8.7
EPSS
0.4%
CVE-2024-1656 LOW Monitor

Affected versions of Octopus Server had a weak content security policy. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Octopus Server
NVD
CVSS 3.1
2.6
EPSS
0.2%
CVE-2024-7998 LOW Monitor

In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Octopus Server
NVD
CVSS 3.1
2.6
EPSS
0.2%
CVE-2024-6972 MEDIUM This Month

In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-4811 LOW Monitor

In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Octopus Server
NVD
CVSS 3.1
2.2
EPSS
0.2%
CVE-2024-4456 MEDIUM This Month

In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Octopus Server
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-4226 LOW Monitor

It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Octopus Server
NVD
CVSS 3.1
3.5
EPSS
0.3%
CVE-2024-2975 HIGH This Week

A race condition was identified through which privilege escalation was possible in certain configurations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Octopus Server
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2023-1904 HIGH This Week

In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2022-2721 HIGH This Week

In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2022-2572 CRITICAL Act Now

In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Octopus Server
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-2782 CRITICAL Act Now

In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2022-2508 MEDIUM This Month

In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2022-2780 HIGH This Week

In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Octopus Server
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2022-2828 MEDIUM This Month

In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Octopus Server
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-2720 MEDIUM This Month

In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2022-2783 MEDIUM This Month

In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Octopus Server
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2022-2781 MEDIUM This Month

In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2022-2778 CRITICAL PATCH Act Now

In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Octopus Server
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2022-2760 MEDIUM PATCH This Month

In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Octopus Server
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2022-2528 MEDIUM This Month

In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Octopus Server
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2022-2075 HIGH PATCH This Week

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Octopus Server
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-2074 HIGH PATCH This Week

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Octopus Server
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-2049 HIGH PATCH This Week

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Octopus Server
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-1901 MEDIUM PATCH This Month

In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Octopus Server
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2022-29890 MEDIUM This Month

In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Octopus Server
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2022-1881 MEDIUM This Month

In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Octopus Server
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2022-1670 HIGH This Week

When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Octopus Server
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2021-26556 HIGH This Week

When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Deploy Octopus Server
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2021-31820 HIGH This Week

In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2020-16197 MEDIUM This Month

An issue was discovered in Octopus Deploy 3.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server Server
NVD GitHub
CVSS 3.1
4.3
EPSS
0.5%
CVE-2019-15698 MEDIUM This Month

In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD GitHub
CVSS 3.0
4.3
EPSS
0.9%
CVE-2019-14525 MEDIUM This Month

In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Octopus Deploy Octopus Server
NVD GitHub
CVSS 3.0
4.9
EPSS
1.5%
CVE-2019-11632 HIGH POC This Week

In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Octopus Deploy Octopus Server
NVD GitHub
CVSS 3.0
8.1
EPSS
1.2%
CVE-2019-8944 MEDIUM This Month

An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Octopus Deploy Octopus Server
NVD GitHub
CVSS 3.0
6.5
EPSS
1.5%
CVE-2018-18850 HIGH POC THREAT Act Now

In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Octopus Server
NVD GitHub
CVSS 3.0
8.8
EPSS
12.5%
CVE-2018-12089 HIGH This Week

In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Microsoft Information Disclosure Octopus Server
NVD GitHub
CVSS 3.0
7.5
EPSS
0.9%
CVE-2018-11320 CRITICAL Act Now

In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD GitHub
CVSS 3.0
9.8
EPSS
1.4%
CVE-2017-11348 MEDIUM This Month

In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Octopus Deploy Octopus Server
NVD GitHub
CVSS 3.0
5.7
EPSS
0.6%
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

Stored Cross-Site Scripting in Octopus Server allows authenticated high-privilege users to embed malicious JavaScript payloads through the artifact upload mechanism, which execute in the browsers of other users who interact with the affected artifact. The CVSS 4.0 vector (PR:H, UI:A, VC:H) confirms exploitation requires elevated access and victim interaction, with the primary impact being confidentiality - likely session token or credential theft. No public exploit code exists and the vulnerability has not been added to the CISA KEV catalog at time of analysis.

XSS Octopus Server
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

Server-level configuration changes can be made by any authenticated low-privilege user in Octopus Server through a specific API endpoint that fails to enforce authorization correctly, despite returning an error response to the caller. The flaw affects multiple active release lines - 2026.1.x, 2025.4.x, and 2023.x - and carries a CVSS 4.0 score of 6.0 with high availability impact on the vulnerable system. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Octopus Server
NVD VulDB GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

A security vulnerability in affected (CVSS 2.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Octopus Server
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Octopus Server allows authenticated attackers to generate new API keys from existing access tokens with extended lifetimes that exceed the original token's validity period. This token lifetime extension vulnerability (CWE-863) could enable attackers with valid credentials to maintain persistent access beyond intended restrictions. The vulnerability affects Octopus Server with no patch currently available.

Authentication Bypass Octopus Server
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Path traversal in Octopus Deploy allows removing files and file contents on the host through API manipulation. Enables data destruction on the deployment server.

Path Traversal Octopus Server
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Microsoft SSRF Octopus Server +1
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Denial Of Service Octopus Server
NVD
EPSS 0% CVSS 2.3
LOW Monitor

In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Octopus Server
NVD
EPSS 0% CVSS 1.8
LOW Monitor

In affected versions of Octopus Server error messages were handled unsafely on the error page. Rated low severity (CVSS 1.8), this vulnerability is remotely exploitable. No vendor patch available.

XSS Octopus Server
NVD
EPSS 0% CVSS 2.3
LOW Monitor

In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsoft Windows Octopus Server on Windows, Linux allows SQL Injection.1.0 before. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Microsoft Octopus Server
NVD
EPSS 0% CVSS 2.6
LOW Monitor

Affected versions of Octopus Server had a weak content security policy. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Octopus Server
NVD
EPSS 0% CVSS 2.6
LOW Monitor

In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Octopus Server
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
EPSS 0% CVSS 2.2
LOW Monitor

In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Octopus Server
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Octopus Server
NVD
EPSS 0% CVSS 3.5
LOW Monitor

It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Octopus Server
NVD
EPSS 0% CVSS 7.5
HIGH This Week

A race condition was identified through which privilege escalation was possible in certain configurations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Octopus Server
NVD
EPSS 0% CVSS 7.5
HIGH This Week

In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Octopus Server
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
EPSS 1% CVSS 8.1
HIGH This Week

In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Octopus Server
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Octopus Server
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Octopus Server
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Octopus Server
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Octopus Server
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Octopus Server
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Octopus Server
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Octopus Server
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Octopus Server
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Octopus Server
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Octopus Server
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Octopus Server
NVD
EPSS 1% CVSS 7.5
HIGH This Week

When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Octopus Server
NVD
EPSS 0% CVSS 7.8
HIGH This Week

When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Deploy Octopus Server
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

An issue was discovered in Octopus Deploy 3.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server Server
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM This Month

In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD GitHub
EPSS 2% CVSS 4.9
MEDIUM This Month

In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Octopus Deploy Octopus Server
NVD GitHub
EPSS 1% CVSS 8.1
HIGH POC This Week

In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Octopus Deploy Octopus Server
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM This Month

An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Octopus Deploy +1
NVD GitHub
EPSS 12% CVSS 8.8
HIGH POC THREAT Act Now

In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Octopus Server
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Microsoft Information Disclosure Octopus Server
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Server
NVD GitHub
EPSS 1% CVSS 5.7
MEDIUM This Month

In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Octopus Deploy Octopus Server
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy