CVE-2025-0588
published 2025-02-11CVE-2025-0588: In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a…
PriorityP422medium4.9CVSS 3.1
AVNACLPRHUINSUCNINAH
EPSS
0.39%
30.9th percentile
In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly unusable. The user would be able to subsequently set and unset the referrer header to control the denial of service state with a valid CSRF token whilst new CSRF tokens could not be generated.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| octopus | octopus_server | >= 2020.1.0 < 2024.3.13097 | 2024.3.13097 |
| octopus | octopus_server | >= 2024.4.401 < 2024.4.7091 | 2024.4.7091 |
| octopus_deploy | octopus_server | >= 2020.1.0 < 2024.3.13097 | 2024.3.13097 |
| octopus_deploy | octopus_server | >= 2024.4.401 < 2024.4.7091 | 2024.4.7091 |
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
nvdv4.05.9MEDIUMCVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-3237 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-3237 [MEDIUM] CVE-2026-3237 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3237 :
Octopus Deploy vulnerability analysis and mitigation
In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.
Source : NVD
## 2.3
Score
Published March 17, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
Octopus Deploy
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:octopus:octopus_server
Sources
NVD
Windows Severity MEDIUM Has
Wiz
CVE-2026-3236 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-3236 [MEDIUM] CVE-2026-3236 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3236 :
Octopus Deploy vulnerability analysis and mitigation
In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token.
Source : NVD
## 2.3
Score
Published March 5, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
Octopus Deploy
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:octopus:octopus_server
Sources
Windows Severity MEDIUM Has Fix Added at: Mar 08, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 13, 2026
## Get a C
Wiz
CVE-2026-0704 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-0704 [MEDIUM] CVE-2026-0704 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0704 :
Octopus Deploy vulnerability analysis and mitigation
In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
Source : NVD
## 5.9
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
Octopus Deploy
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:octopus:octopus_server
Sources
Windows Severity CRITICAL Has Fix Added at: Mar 02, 2026
Windows Severity CRITICAL Has Fix Added at: Mar
2025-02-11
Published