CVE-2025-0526

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-0526
In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://advisories.octopus.com/post/2024/sa2025-03/ Broken Link
https://advisories.octopus.com/post/2025/sa2025-03/ Vendor Advisory
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*
cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
History

02 Jul 2025, 17:23

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.4
CPE cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
First Time Microsoft
Octopus octopus Server
Microsoft windows
Octopus
References () https://advisories.octopus.com/post/2024/sa2025-03/ - () https://advisories.octopus.com/post/2024/sa2025-03/ - Broken Link
References () https://advisories.octopus.com/post/2025/sa2025-03/ - () https://advisories.octopus.com/post/2025/sa2025-03/ - Vendor Advisory

18 Mar 2025, 18:15

Type Values Removed Values Added
CWE CWE-862

25 Feb 2025, 19:15

Type Values Removed Values Added
References
  • () https://advisories.octopus.com/post/2025/sa2025-03/ -

18 Feb 2025, 18:15

Type Values Removed Values Added
CWE CWE-22
Summary
  • (es) En las versiones afectadas de Octopus Deploy, era posible cargar archivos en ubicaciones inesperadas en el host mediante un endpoint de API. El campo carecía de validación, lo que podría dar lugar a formas de eludir los flujos de trabajo esperados.
CVSS v2 : unknown
v3 : 7.5 		v2 : unknown
v3 : unknown

11 Feb 2025, 15:15

Type Values Removed Values Added
CWE CWE-22
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5

11 Feb 2025, 11:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-11 11:15

Updated : 2025-07-02 17:23

NVD link : CVE-2025-0526

Mitre link : CVE-2025-0526

CVE.ORG link : CVE-2025-0526

JSON object : View

Products Affected

microsoft

  • windows

octopus

  • octopus_server
CWE
CWE-862

Missing Authorization