Cross-Site Scripting Vulnerability in Octopus Server from Octopus Deploy
CVE-2026-8296

5.6MEDIUM

Key Information:

Vendor: Octopus Deploy
Status: Octopus Server
Vendor: CVE Published:; 19 June 2026

🔔 Create Octopus Deploy Vulnerability Alert

What is CVE-2026-8296?

Octopus Server has a Cross-Site Scripting (XSS) vulnerability that allows attackers with certain access levels to embed malicious scripts through artifacts. This can potentially lead to unauthorized actions being performed in the context of a user's session. It is crucial for users to review their access configurations and update to secure versions to mitigate this risk.

Affected Version(s)

Octopus Server Windows 2023.0.0 < 2025.4.10678

Octopus Server Windows 2026.1.0 < 2026.1.11451

Octopus Server Windows 2026.2.0 < 2026.2.13114

References

https://advisories.octopus.com/post/2026/sa2026-05

CVSS V4

Score:

5.6

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
May 11, 2026

Credit

This vulnerability was found by asotyc

CVE-2026-8296 Data

JSON