threat
engine
.sh
Back
·
··:··
Home
/
Product
/
octopus server
Product
octopus server
71 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-3237
< 2025.3.14731
In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signin
4.3
MEDIUM
CVE-2026-3236
>= 2023.1.4189 and < 2025.3.14761
In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new
4.3
MEDIUM
CVE-2026-0704
>= 2023.1.4189 and < 2025.3.14715
In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint.
9.1
CRITICAL
CVE-2025-0539
>= 2.6.0 and < 2024.3.13071
In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain
8.8
HIGH
CVE-2025-0588
>= 2020.1.0 and < 2024.3.13097
In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server respo
4.9
MEDIUM
CVE-2025-0526
>= 2022.4.791 and < 2024.3.13097
In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint.
5.4
MEDIUM
CVE-2025-0513
>= 2024.3.164 and < 2024.3.12985
In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any p
5.4
MEDIUM
CVE-2025-0525
>= 2020.6.4592 and < 2024.3.13007
In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. T
7.5
HIGH
CVE-2025-0589
>= 2020.3.3 and < 2024.3.13071
In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauth
5.3
MEDIUM
CVE-2024-9194
>= 2024.1.437 and < 2024.1.13038
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsoft Windows
9.8
CRITICAL
CVE-2024-1656
>= 2018.1.0 and < 2024.2.9193
Affected versions of Octopus Server had a weak content security policy.
2.6
LOW
CVE-2024-7998
>= 2022.4.8332 and < 2024.1.12931
In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maxi
2.6
LOW
CVE-2024-6972
>= 2024.1.437 and < 2024.1.12759
In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the tas
6.5
MEDIUM
CVE-2024-4811
>= 2023.1.4189 and < 2023.4.8608
In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted proje
2.2
LOW
CVE-2024-4456
>= 3.0.0 and < 2023.4.8338
In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the a
4.1
MEDIUM
CVE-2024-4226
>= 2022.2.6729 and < 2022.2.7934
It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user r
3.5
LOW
CVE-2023-4509
>= 2018.9.0 and < 2023.4.296
It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt.
4.3
MEDIUM
CVE-2024-2975
>= 0.9 and < 2023.4.8432
A race condition was identified through which privilege escalation was possible in certain configurations.
8.8
HIGH
CVE-2023-1904
>= 2022.1.2121 and < 2023.1.11942
In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configura
4.2
MEDIUM
CVE-2022-2416
>= 2019.4.0 and < 2022.4.9997
In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/r
5.5
MEDIUM
CVE-2022-2346
>= 2019.4.0 and < 2022.4.9997
In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.
5.5
MEDIUM
CVE-2022-4870
>= 3.0.0 and < 2023.1.9879
In affected versions of Octopus Deploy it is possible to discover network details via error message
5.3
MEDIUM
CVE-2022-4008
>= 0.9 and < 2022.3.11043
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
5.5
MEDIUM
CVE-2022-2507
< 2023.1.9794
In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage
5.3
MEDIUM
CVE-2022-4009
>= 3.0.19 and < 2022.2.8552
In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
8.8
HIGH
CVE-2022-2259
>= 2019.1.0 and < 2022.3.11098
In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions
4.3
MEDIUM
CVE-2022-2258
>= 2019.1.0 and < 2022.3.11098
In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to
4.3
MEDIUM
CVE-2022-2883
< 2022.3.11043
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
7.5
HIGH
CVE-2022-4898
>= 2019.7.0 and < 2022.2.8552
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support
5.4
MEDIUM
CVE-2022-3614
>= 3.5 and < 2022.3.10750
In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authent
6.1
MEDIUM
CVE-2022-3460
>= 2018.1.0 and < 2022.3.10750
In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked wh
7.5
HIGH
CVE-2022-2721
>= 2022.2.6729 and < 2022.2.7965
In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log file
7.5
HIGH
CVE-2022-2572
>= 3.5 and < 2022.1.3264
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the AP
9.8
CRITICAL
CVE-2022-2782
< 2022.2.8351
In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of t
9.1
CRITICAL
CVE-2022-2508
< 2022.1.3264
In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have
5.3
MEDIUM
CVE-2022-2780
>= 2021.2.994 and < 2022.1.3180
In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an
8.1
HIGH
CVE-2022-2828
>= 2022.1.2121 and <= 2022.1.3135
In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Obje
6.5
MEDIUM
CVE-2022-2720
>= 3.16.4 and < 2022.1.3154
In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive va
5.3
MEDIUM
CVE-2022-2783
>= 3.12.0 and < 2022.1.3154
In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token
5.3
MEDIUM
CVE-2022-2781
>= 3.2.10 and < 2022.1.3154
In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session coo
5.3
MEDIUM
CVE-2022-2778
>= 3.0 and < 2022.2.8277
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
9.8
CRITICAL
CVE-2022-2760
>= 2019.5.7 and < 2022.1.3180
In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view
4.3
MEDIUM
CVE-2022-2528
>= 3.0.0 and <= 4.1.10
In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-
6.5
MEDIUM
CVE-2022-2075
>= 0.9 and <= 0.9.620.4
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request
7.5
HIGH
CVE-2022-2074
>= 0.9 and <= 0.9.620.4
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
7.5
HIGH
CVE-2022-2049
>= 0.9 and <= 0.9.620.4
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
7.5
HIGH
CVE-2022-1901
>= 2019.1.0 and <= 2019.7.3
In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.
5.3
MEDIUM
CVE-2022-30532
>= 0.9 and < 2021.3.13021
In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy.
5.3
MEDIUM
CVE-2022-29890
>= 2019.7.0 and < 2021.3.13021
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support
6.1
MEDIUM
CVE-2022-1881
>= 2021.1.6959 and < 2021.3.13021
In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to
5.3
MEDIUM
CVE-2022-1670
>= 0.9 and < 2021.3.12533
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It
7.5
HIGH
CVE-2022-1502
>= 2021.3 and < 2021.3.12725
Permissions were not properly verified in the API on projects using version control in Git. This allowed projects to be modified b
4.3
MEDIUM
CVE-2022-23184
>= 2021.2.0 and < 2021.2.8011
In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow
6.1
MEDIUM
CVE-2021-26556
>= 2020.5.0 and < 2020.5.256
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileg
7.8
HIGH
CVE-2021-31820
> 2018.8.2 and < 2020.6.5310
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password i
7.5
HIGH
CVE-2021-31817
>= 2020.6.0 and < 2020.6.5146
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password
7.5
HIGH
CVE-2021-31816
< 2020.6.5146
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password
7.5
HIGH
CVE-2021-31818
>= 2018.9.17 and < 2018.13.0
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user
4.3
MEDIUM
CVE-2021-30183
< 2020.5.329
Cleartext storage of sensitive information in multiple versions of Octopus Server where in certain situations when running import
7.5
HIGH
CVE-2020-16197
all versions
An issue was discovered in Octopus Deploy 3.4. A deployment target can be configured with an Account or Certificate that is outsid
4.3
MEDIUM
CVE-2019-19085
>= 3.4.0 and <= 2019.10.5
A persistent cross-site scripting (XSS) vulnerability in Octopus Server 3.4.0 through 2019.10.5 allows remote authenticated attack
5.4
MEDIUM
CVE-2019-15698
>= 2019.7.3 and <= 2019.7.9
In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could v
4.3
MEDIUM
CVE-2019-15508
>= 3.0.8 and <= 2019.7.6
In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited Oct
6.5
MEDIUM
CVE-2019-15507
>= 2018.8.4 and <= 2019.7.6
In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited
6.5
MEDIUM
CVE-2019-14525
>= 2019.7.0 and < 2019.7.6
In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator i
4.9
MEDIUM
CVE-2019-11632
>= 2019.4.0 and <= 2019.4.5
In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or
8.1
HIGH
CVE-2019-8944
>= 2018.11.0 and < 2019.1.8
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows
6.5
MEDIUM
CVE-2018-18850
>= 2018.8.0 and <= 2018.8.12
In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes
8.8
HIGH
CVE-2018-12089
>= 2018.5.1 and <= 2018.5.7
In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, whe
7.5
HIGH
CVE-2018-11320
>= 2018.4.4 and <= 2018.5.1
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfus
9.8
CRITICAL
CVE-2017-11348
all versions
In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a malicious
5.7
MEDIUM
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin