Description
In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting Payload via artifacts.
Published: 2026-06-19
Score: 5.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Octopus Server allows an attacker with certain access levels to embed malicious scripts via artifacts. These scripts can execute in the victim’s browser, potentially stealing cookies, hijacking sessions or defacing content. The impact is primarily a client‑side compromise that could lead to confidentiality and integrity violations for users interacting with the server.

Affected Systems

The affected product is Octopus Deploy Octopus Server. No specific affected versions were listed; the issue applies to versions of Octopus Server that have not been patched to address the XSS bug.

Risk and Exploitability

The CVSS score of 5.6 indicates a moderate severity. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited exploitation data. The attack vector is likely via the web interface where users can upload or view artifacts, and it requires that the attacker has sufficient permissions to add or modify artifacts.

Generated by OpenCVE AI on June 19, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Octopus Server to the latest release that contains the XSS fix.
  • Restrict or disable artifact uploads for users with lower access levels until the patch is applied.
  • Configure a web application firewall or content‑security‑policy headers to block suspicious script payloads.

Generated by OpenCVE AI on June 19, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via Embedded Artifacts in Octopus Server
Weaknesses CWE-79

Fri, 19 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting Payload via artifacts.
References
Metrics cvssV4_0

{'score': 5.6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Octopus

Published:

Updated: 2026-06-19T09:23:28.395Z

Reserved: 2026-05-11T09:44:07.992Z

Link: CVE-2026-8296

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T10:30:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')