Octopus Octopus_server

64 CVEs affecting Octopus Octopus_server. Latest disclosed: 2026-06-04. Critical: 6, High: 17.

Top CVEs affecting Octopus Octopus_server
CVESeverityScorePublishedSummary
CVE-2024-9194Critical9.82024-09-30Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsoft Windows Octopus Server on Windows, Li…
CVE-2022-2572Critical9.82022-11-01In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/dele…
CVE-2022-2778Critical9.82022-09-30In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
CVE-2018-11320Critical9.82018-05-21In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.
CVE-2026-0704Critical9.12026-02-25In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation w…
CVE-2022-2782Critical9.12022-10-27In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.
CVE-2025-0539High8.82025-04-10In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allo…
CVE-2024-2975High8.82024-04-09A race condition was identified through which privilege escalation was possible in certain configurations.
CVE-2022-4009High8.82023-03-16In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
CVE-2018-18850High8.82018-10-31In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously cr…
CVE-2022-2780High8.12022-10-14In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the…
CVE-2019-11632High8.12019-05-01In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permissi…
CVE-2021-26556High7.82021-10-07When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loadin…
CVE-2025-0525High7.52025-02-11In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversar…
CVE-2022-2883High7.52023-02-22In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
CVE-2022-3460High7.52023-01-03In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.
CVE-2022-2721High7.52022-11-25In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verb…
CVE-2022-2075High7.52022-08-19In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.
CVE-2022-2074High7.52022-08-19In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
CVE-2022-2049High7.52022-08-19In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.