Executive Summary

CVE-2026-8296 is a stored Cross-Site Scripting (XSS) vulnerability in Octopus Server. It allows attackers with certain access levels to embed malicious scripts via artifacts in affected versions of the software.

This vulnerability affects all 2023.x, 2024.x, 2025.x (except 2025.4.10678 and later), and 2026.1.x (before 2026.1.11451) and 2026.2.x (before 2026.2.13114) releases of Octopus Server.

The issue was discovered internally by Octopus Deploy's security team and has a medium severity rating with a CVSS score of 5.6.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers with certain access levels to inject malicious scripts into the Octopus Server via artifacts. These scripts could be executed in the context of users viewing the artifacts, potentially leading to unauthorized actions or data exposure.

Since it is a stored XSS vulnerability, the malicious payload persists and can affect multiple users, increasing the risk of exploitation.

There is no mitigation other than upgrading to fixed versions, so users are urged to update immediately to prevent potential exploitation.

Useful 0 Not Useful 0

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Useful 0 Not Useful 0

Mitigation Strategies

No mitigations exist for this vulnerability other than upgrading the affected Octopus Server to a fixed version.

• Upgrade to Octopus Server version 2025.4.10678 or later.
• Alternatively, upgrade to version 2026.1.11451 or later.
• Alternatively, upgrade to version 2026.2.13114 or later, with 2026.2.13115 being the latest recommended version.

Users are urged to upgrade immediately to prevent potential exploitation.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how CVE-2026-8296 affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0