Octopus Octopus_server
64 CVEs affecting Octopus Octopus_server. Latest disclosed: 2026-06-04. Critical: 6, High: 17.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-9194 | Critical | 9.8 | 2024-09-30 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsoft Windows Octopus Server on Windows, Li… |
CVE-2022-2572 | Critical | 9.8 | 2022-11-01 | In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/dele… |
CVE-2022-2778 | Critical | 9.8 | 2022-09-30 | In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. |
CVE-2018-11320 | Critical | 9.8 | 2018-05-21 | In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs. |
CVE-2026-0704 | Critical | 9.1 | 2026-02-25 | In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation w… |
CVE-2022-2782 | Critical | 9.1 | 2022-10-27 | In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. |
CVE-2025-0539 | High | 8.8 | 2025-04-10 | In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allo… |
CVE-2024-2975 | High | 8.8 | 2024-04-09 | A race condition was identified through which privilege escalation was possible in certain configurations. |
CVE-2022-4009 | High | 8.8 | 2023-03-16 | In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation |
CVE-2018-18850 | High | 8.8 | 2018-10-31 | In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously cr… |
CVE-2022-2780 | High | 8.1 | 2022-10-14 | In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the… |
CVE-2019-11632 | High | 8.1 | 2019-05-01 | In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permissi… |
CVE-2021-26556 | High | 7.8 | 2021-10-07 | When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loadin… |
CVE-2025-0525 | High | 7.5 | 2025-02-11 | In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversar… |
CVE-2022-2883 | High | 7.5 | 2023-02-22 | In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service |
CVE-2022-3460 | High | 7.5 | 2023-01-03 | In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview. |
CVE-2022-2721 | High | 7.5 | 2022-11-25 | In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verb… |
CVE-2022-2075 | High | 7.5 | 2022-08-19 | In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation. |
CVE-2022-2074 | High | 7.5 | 2022-08-19 | In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template. |
CVE-2022-2049 | High | 7.5 | 2022-08-19 | In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function. |