Octopus: >> Octopus Server >> 3.14 Security Vulnerabilities
In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.
CVSS Score
4.3
EPSS Score
0.0
Published
2026-03-17
In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host infrastructure itself.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-04-10
In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page.
CVSS Score
4.1
EPSS Score
0.003
Published
2024-05-08
A race condition was identified through which privilege escalation was possible in certain configurations.
CVSS Score
8.8
EPSS Score
0.004
Published
2024-04-09
In affected versions of Octopus Deploy it is possible to discover network details via error message
CVSS Score
5.3
EPSS Score
0.002
Published
2023-05-18
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
CVSS Score
5.5
EPSS Score
0.0
Published
2023-05-10
In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage
CVSS Score
5.3
EPSS Score
0.003
Published
2023-04-19
In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
CVSS Score
8.8
EPSS Score
0.009
Published
2023-03-16
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
CVSS Score
7.5
EPSS Score
0.005
Published
2023-02-22
In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.
CVSS Score
6.1
EPSS Score
0.002
Published
2023-01-03
Page 1