CVE-2026-8296

Summary

In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting Payload via artifacts.

Affected Software

VendorProductVersion RangeStatus
Octopus DeployOctopus Server2023.0.0 < 2025.4.10678affected
Octopus DeployOctopus Server2026.1.0 < 2026.1.11451affected
Octopus DeployOctopus Server2026.2.0 < 2026.2.13114affected

Weaknesses

  • Stored XSS using artifacts

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References