Home

Description

In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting Payload via artifacts.

PUBLISHED Reserved 2026-05-11 | Published 2026-06-19 | Updated 2026-06-19 | Assigner Octopus




MEDIUM: 5.6CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

Stored XSS using artifacts

Product status

Default status
unaffected

2023.0.0 (custom) before 2025.4.10678
affected

2026.1.0 (custom) before 2026.1.11451
affected

2026.2.0 (custom) before 2026.2.13114
affected

Credits

This vulnerability was found by asotyc finder

References

advisories.octopus.com/post/2026/sa2026-05

cve.org (CVE-2026-8296)

nvd.nist.gov (CVE-2026-8296)

Download JSON