Vendor CVEs
Octopus
All CVEs
106 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-11320 | Cri | 0.64 | 9.8 | 0.01 | May 21, 2018 | In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs. | ||
| CVE-2018-5706 | Hig | 0.57 | 8.8 | 0.01 | Jan 16, 2018 | An issue was discovered in Octopus Deploy before 4.1.9. Any user with user editing permissions can modify teams to give themselves Administer System permissions even if they didn't have them, as demonstrated by use of the RoleEdit or TeamEdit permission. | ||
| CVE-2018-4862 | Hig | 0.57 | 8.8 | 0.01 | Jan 3, 2018 | In Octopus Deploy versions 3.2.11 - 4.1.5 (fixed in 4.1.6), an authenticated user with ProcessEdit permission could reference an Azure account in such a way as to bypass the scoping restrictions, resulting in a potential escalation of privileges. | ||
| CVE-2017-17665 | Hig | 0.57 | 8.8 | 0.01 | Dec 13, 2017 | In Octopus Deploy before 4.1.3, the machine update process doesn't check that the user has access to all environments. This allows an access-control bypass because the set of environments to which a machine is scoped may include environments in which the user lacks access. | ||
| CVE-2018-12089 | Hig | 0.49 | 7.5 | 0.01 | Jun 11, 2018 | In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set… | ||
| CVE-2018-10550 | Hig | 0.49 | 7.5 | 0.01 | Apr 30, 2018 | In Octopus Deploy before 2018.4.7, target and tenant tag variable scopes were not checked against the list of tenants the user has access to. | ||
| CVE-2017-15609 | Hig | 0.49 | 7.5 | 0.01 | Oct 19, 2017 | Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in certain situations involving Offline Drop Targets. | ||
| CVE-2024-12226 | Med | 0.42 | 6.5 | 0.00 | Jan 16, 2025 | In affected versions of the Octopus Kubernetes worker or agent, sensitive variables could be written to the Kubernetes script pod log in clear-text. This was identified in Version 2 however it was determined that this could also be achieved in Version 1 and the fix was applied… | ||
| CVE-2018-12884 | Med | 0.42 | 6.5 | 0.01 | Jun 26, 2018 | In Octopus Deploy 3.0 onwards (before 2018.6.7), an authenticated user with incorrect permissions may be able to create Accounts under the Infrastructure menu. | ||
| CVE-2018-9039 | Med | 0.42 | 6.5 | 0.01 | Mar 27, 2018 | In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments. | ||
| CVE-2017-15611 | Med | 0.42 | 6.5 | 0.01 | Oct 19, 2017 | In Octopus before 3.17.7, an authenticated user who was explicitly granted the permission to invite new users (aka UserInvite) can invite users to teams with escalated privileges. | ||
| CVE-2017-15610 | Med | 0.42 | 6.5 | 0.01 | Oct 19, 2017 | An issue was discovered in Octopus before 3.17.7. When the special Guest user account is granted the CertificateExportPrivateKey permission, and Guest Access is enabled for the Octopus Server, an attacker can sign in as the Guest account and export Certificates managed by… | ||
| CVE-2026-4881 | Med | 0.39 | — | 0.00 | Jun 4, 2026 | In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error. | ||
| CVE-2017-11348 | Med | 0.37 | 5.7 | 0.01 | Jul 17, 2017 | In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value. | ||
| CVE-2018-10581 | Med | 0.35 | 5.4 | 0.01 | May 1, 2018 | In Octopus Deploy 3.4.x before 2018.4.7, an authenticated user is able to view/update/save variable values within the Tenant Variables area for Environments that do not exist within their associated Team scoping. This occurs in situations where this authenticated user also… | ||
| CVE-2017-16810 | Med | 0.35 | 5.4 | 0.01 | Nov 14, 2017 | Cross-site scripting (XSS) vulnerability in the All Variables tab in Octopus Deploy 3.4.0-3.13.6 (fixed in 3.13.7) allows remote attackers to inject arbitrary web script or HTML via the Variable Set Name parameter. | ||
| CVE-2017-16801 | Med | 0.35 | 5.4 | 0.01 | Nov 13, 2017 | Cross-site scripting (XSS) vulnerability in Octopus Deploy 3.7.0-3.17.13 (fixed in 3.17.14) allows remote authenticated users to inject arbitrary web script or HTML via the Step Template Name parameter. | ||
| CVE-2026-3237 | Med | 0.28 | 4.3 | 0.00 | Mar 17, 2026 | In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing… | ||
| CVE-2018-18850 | 0.07 | — | 0.12 | Oct 31, 2018 | In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as… | |||
| CVE-2026-8296 | 0.00 | — | 0.00 | Jun 19, 2026 | In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting Payload via artifacts. | |||
| CVE-2026-3236 | 0.00 | — | 0.00 | Mar 5, 2026 | In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token. | |||
| CVE-2026-0704 | 0.00 | — | 0.00 | Feb 25, 2026 | In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows. | |||
| CVE-2025-0539 | 0.00 | — | 0.00 | Apr 10, 2025 | In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host… | |||
| CVE-2025-0588 | 0.00 | — | 0.00 | Feb 11, 2025 | In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors… | |||
| CVE-2025-0513 | 0.00 | — | 0.00 | Feb 11, 2025 | In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message. | |||
| CVE-2025-0526 | 0.00 | — | 0.00 | Feb 11, 2025 | In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows. | |||
| CVE-2025-0525 | 0.00 | — | 0.00 | Feb 11, 2025 | In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server. | |||
| CVE-2025-0589 | 0.00 | — | 0.00 | Feb 11, 2025 | In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when… | |||
| CVE-2024-9194 | 0.00 | — | 0.00 | Sep 30, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsoft Windows Octopus Server on Windows, Linux allows SQL Injection.This issue affects Octopus Server: from 2024.1.0 before 2024.1.13038, from 2024.2.0 before… | |||
| CVE-2024-1656 | 0.00 | — | 0.00 | Sep 11, 2024 | Affected versions of Octopus Server had a weak content security policy. | |||
| CVE-2024-7998 | 0.00 | — | 0.00 | Aug 21, 2024 | In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan. | |||
| CVE-2024-6972 | 0.00 | — | 0.00 | Jul 25, 2024 | In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text. | |||
| CVE-2024-4811 | 0.00 | — | 0.00 | Jul 25, 2024 | In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts. | |||
| CVE-2024-4456 | 0.00 | — | 0.00 | May 8, 2024 | In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page. | |||
| CVE-2024-4226 | 0.00 | — | 0.00 | Apr 30, 2024 | It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed. | |||
| CVE-2023-4509 | 0.00 | — | 0.00 | Apr 17, 2024 | It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt. | |||
| CVE-2024-2975 | 0.00 | — | 0.00 | Apr 9, 2024 | A race condition was identified through which privilege escalation was possible in certain configurations. | |||
| CVE-2023-1904 | 0.00 | — | 0.00 | Dec 14, 2023 | In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server. | |||
| CVE-2022-2416 | 0.00 | — | 0.00 | Aug 2, 2023 | In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment. | |||
| CVE-2022-2346 | 0.00 | — | 0.00 | Aug 2, 2023 | In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints. | |||
| CVE-2022-4870 | 0.00 | — | 0.00 | May 18, 2023 | In affected versions of Octopus Deploy it is possible to discover network details via error message | |||
| CVE-2022-4008 | 0.00 | — | 0.00 | May 10, 2023 | In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service | |||
| CVE-2023-2247 | 0.00 | — | 0.00 | May 2, 2023 | In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function | |||
| CVE-2022-2507 | 0.00 | — | 0.00 | Apr 19, 2023 | In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage | |||
| CVE-2022-4009 | 0.00 | — | 0.01 | Mar 16, 2023 | In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation | |||
| CVE-2022-2258 | 0.00 | — | 0.01 | Mar 13, 2023 | In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items | |||
| CVE-2022-2259 | 0.00 | — | 0.00 | Mar 13, 2023 | In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items | |||
| CVE-2022-2883 | 0.00 | — | 0.01 | Feb 22, 2023 | In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service | |||
| CVE-2022-4898 | 0.00 | — | 0.00 | Jan 31, 2023 | In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different… | |||
| CVE-2022-3614 | 0.00 | — | 0.00 | Jan 3, 2023 | In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation. |
- risk 0.64cvss 9.8epss 0.01
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in Octopus Deploy before 4.1.9. Any user with user editing permissions can modify teams to give themselves Administer System permissions even if they didn't have them, as demonstrated by use of the RoleEdit or TeamEdit permission.
- risk 0.57cvss 8.8epss 0.01
In Octopus Deploy versions 3.2.11 - 4.1.5 (fixed in 4.1.6), an authenticated user with ProcessEdit permission could reference an Azure account in such a way as to bypass the scoping restrictions, resulting in a potential escalation of privileges.
- risk 0.57cvss 8.8epss 0.01
In Octopus Deploy before 4.1.3, the machine update process doesn't check that the user has access to all environments. This allows an access-control bypass because the set of environments to which a machine is scoped may include environments in which the user lacks access.
- risk 0.49cvss 7.5epss 0.01
In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set…
- risk 0.49cvss 7.5epss 0.01
In Octopus Deploy before 2018.4.7, target and tenant tag variable scopes were not checked against the list of tenants the user has access to.
- risk 0.49cvss 7.5epss 0.01
Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in certain situations involving Offline Drop Targets.
- risk 0.42cvss 6.5epss 0.00
In affected versions of the Octopus Kubernetes worker or agent, sensitive variables could be written to the Kubernetes script pod log in clear-text. This was identified in Version 2 however it was determined that this could also be achieved in Version 1 and the fix was applied…
- risk 0.42cvss 6.5epss 0.01
In Octopus Deploy 3.0 onwards (before 2018.6.7), an authenticated user with incorrect permissions may be able to create Accounts under the Infrastructure menu.
- risk 0.42cvss 6.5epss 0.01
In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments.
- risk 0.42cvss 6.5epss 0.01
In Octopus before 3.17.7, an authenticated user who was explicitly granted the permission to invite new users (aka UserInvite) can invite users to teams with escalated privileges.
- risk 0.42cvss 6.5epss 0.01
An issue was discovered in Octopus before 3.17.7. When the special Guest user account is granted the CertificateExportPrivateKey permission, and Guest Access is enabled for the Octopus Server, an attacker can sign in as the Guest account and export Certificates managed by…
- risk 0.39cvss —epss 0.00
In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.
- risk 0.37cvss 5.7epss 0.01
In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value.
- risk 0.35cvss 5.4epss 0.01
In Octopus Deploy 3.4.x before 2018.4.7, an authenticated user is able to view/update/save variable values within the Tenant Variables area for Environments that do not exist within their associated Team scoping. This occurs in situations where this authenticated user also…
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in the All Variables tab in Octopus Deploy 3.4.0-3.13.6 (fixed in 3.13.7) allows remote attackers to inject arbitrary web script or HTML via the Variable Set Name parameter.
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in Octopus Deploy 3.7.0-3.17.13 (fixed in 3.17.14) allows remote authenticated users to inject arbitrary web script or HTML via the Step Template Name parameter.
- risk 0.28cvss 4.3epss 0.00
In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing…
- CVE-2018-18850Oct 31, 2018risk 0.07cvss —epss 0.12
In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as…
- CVE-2026-8296Jun 19, 2026risk 0.00cvss —epss 0.00
In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting Payload via artifacts.
- CVE-2026-3236Mar 5, 2026risk 0.00cvss —epss 0.00
In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token.
- CVE-2026-0704Feb 25, 2026risk 0.00cvss —epss 0.00
In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
- CVE-2025-0539Apr 10, 2025risk 0.00cvss —epss 0.00
In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host…
- CVE-2025-0588Feb 11, 2025risk 0.00cvss —epss 0.00
In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors…
- CVE-2025-0513Feb 11, 2025risk 0.00cvss —epss 0.00
In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message.
- CVE-2025-0526Feb 11, 2025risk 0.00cvss —epss 0.00
In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
- CVE-2025-0525Feb 11, 2025risk 0.00cvss —epss 0.00
In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server.
- CVE-2025-0589Feb 11, 2025risk 0.00cvss —epss 0.00
In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when…
- CVE-2024-9194Sep 30, 2024risk 0.00cvss —epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsoft Windows Octopus Server on Windows, Linux allows SQL Injection.This issue affects Octopus Server: from 2024.1.0 before 2024.1.13038, from 2024.2.0 before…
- CVE-2024-1656Sep 11, 2024risk 0.00cvss —epss 0.00
Affected versions of Octopus Server had a weak content security policy.
- CVE-2024-7998Aug 21, 2024risk 0.00cvss —epss 0.00
In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan.
- CVE-2024-6972Jul 25, 2024risk 0.00cvss —epss 0.00
In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text.
- CVE-2024-4811Jul 25, 2024risk 0.00cvss —epss 0.00
In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts.
- CVE-2024-4456May 8, 2024risk 0.00cvss —epss 0.00
In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page.
- CVE-2024-4226Apr 30, 2024risk 0.00cvss —epss 0.00
It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed.
- CVE-2023-4509Apr 17, 2024risk 0.00cvss —epss 0.00
It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt.
- CVE-2024-2975Apr 9, 2024risk 0.00cvss —epss 0.00
A race condition was identified through which privilege escalation was possible in certain configurations.
- CVE-2023-1904Dec 14, 2023risk 0.00cvss —epss 0.00
In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server.
- CVE-2022-2416Aug 2, 2023risk 0.00cvss —epss 0.00
In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment.
- CVE-2022-2346Aug 2, 2023risk 0.00cvss —epss 0.00
In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.
- CVE-2022-4870May 18, 2023risk 0.00cvss —epss 0.00
In affected versions of Octopus Deploy it is possible to discover network details via error message
- CVE-2022-4008May 10, 2023risk 0.00cvss —epss 0.00
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
- CVE-2023-2247May 2, 2023risk 0.00cvss —epss 0.00
In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function
- CVE-2022-2507Apr 19, 2023risk 0.00cvss —epss 0.00
In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage
- CVE-2022-4009Mar 16, 2023risk 0.00cvss —epss 0.01
In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
- CVE-2022-2258Mar 13, 2023risk 0.00cvss —epss 0.01
In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items
- CVE-2022-2259Mar 13, 2023risk 0.00cvss —epss 0.00
In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items
- CVE-2022-2883Feb 22, 2023risk 0.00cvss —epss 0.01
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
- CVE-2022-4898Jan 31, 2023risk 0.00cvss —epss 0.00
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different…
- CVE-2022-3614Jan 3, 2023risk 0.00cvss —epss 0.00
In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.
Page 1 of 3