CVE-2025-0526
Last modified
CVE-2025-0526 is a low-severity vulnerability rated 2.3/10 on the CVSS scale. In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.. EPSS estimates a 0.32% chance of exploitation in the next 30 days.
Description
In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Octopus | Octopus Server | >= 2022.4.791, < 2024.3.13097 |
| Octopus | Octopus Server | >= 2024.4.401, < 2024.4.7091 |
References
- https://advisories.octopus.com/post/2025/sa2025-03/Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-0526?
How severe is CVE-2025-0526?
How do I fix CVE-2025-0526?
Are you affected by CVE-2025-0526?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST