Search criteria
288 vulnerabilities found for enterprise_server by github
CVE-2026-1999 (GCVE-0-2026-1999)
Vulnerability from nvd – Published: 2026-02-18 20:44 – Updated: 2026-02-19 14:32
VLAI?
Title
Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized merging of pull requests
Summary
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_auto_merge mutation for pull requests. This issue only affected repositories that allow forking as the attack relies on opening a pull request from an attacker-controlled fork into the target repository. Exploitation was only possible in specific scenarios. It required a clean pull request status and only applied to branches without branch protection rules enabled. This vulnerability affected GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was fixed in versions 3.19.2, 3.18.5, and 3.17.11. This vulnerability was reported via the GitHub Bug Bounty program.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.17.0 , < 3.17.11
(semver)
Affected: 3.18.0 , < 3.18.5 (semver) Affected: 3.19.0 , < 3.19.2 (semver) |
Credits
ahacker1
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1999",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T14:31:31.276186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T14:32:12.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.17.11",
"status": "unaffected"
}
],
"lessThan": "3.17.11",
"status": "affected",
"version": "3.17.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.18.5",
"status": "unaffected"
}
],
"lessThan": "3.18.5",
"status": "affected",
"version": "3.18.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.19.2",
"status": "unaffected"
}
],
"lessThan": "3.19.2",
"status": "affected",
"version": "3.19.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ahacker1"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_auto_merge mutation for pull requests. This issue only affected repositories that allow forking as the attack relies on opening a pull request from an attacker-controlled fork into the target repository. Exploitation was only possible in specific scenarios. It required a clean pull request status and only applied to branches without branch protection rules enabled. This vulnerability affected GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was fixed in versions 3.19.2, 3.18.5, and 3.17.11. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_auto_merge mutation for pull requests. This issue only affected repositories that allow forking as the attack relies on opening a pull request from an attacker-controlled fork into the target repository. Exploitation was only possible in specific scenarios. It required a clean pull request status and only applied to branches without branch protection rules enabled. This vulnerability affected GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was fixed in versions 3.19.2, 3.18.5, and 3.17.11. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:44:51.396Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.11"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.5"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized merging of pull requests",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2026-1999",
"datePublished": "2026-02-18T20:44:51.396Z",
"dateReserved": "2026-02-05T17:14:39.098Z",
"dateUpdated": "2026-02-19T14:32:12.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1355 (GCVE-0-2026-1355)
Vulnerability from nvd – Published: 2026-02-18 20:42 – Updated: 2026-02-20 19:36
VLAI?
Title
Missing Authorization Check in GitHub Enterprise Server Allows Unauthorized Uploads to Repository Migration Exports
Summary
A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to another user’s repository migration export due to a missing authorization check in the repository migration upload endpoint. By supplying the migration identifier, an attacker could overwrite or replace a victim’s migration archive, potentially causing victims to download attacker-controlled repository data during migration restores or automated imports. An attacker would require authentication to the victim's GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.2, 3.18.5, 3.17.11, 3.16.14, 3.15.18, 3.14.23. This vulnerability was reported via the GitHub Bug Bounty program.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.19.0 , ≤ 3.19.1
(semver)
Affected: 3.18.0 , ≤ 3.18.4 (semver) Affected: 3.17.0 , ≤ 3.17.10 (semver) Affected: 3.16.0 , ≤ 3.16.13 (semver) Affected: 3.15.0 , ≤ 3.15.17 (semver) Affected: 3.14.0 , ≤ 3.14.22 (semver) |
Credits
ahacker1
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1355",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T19:36:17.574271Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T19:36:28.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.19.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.19.1",
"status": "affected",
"version": "3.19.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.18.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.18.4",
"status": "affected",
"version": "3.18.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.10",
"status": "affected",
"version": "3.17.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.16.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.16.13",
"status": "affected",
"version": "3.16.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.15.18",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.15.17",
"status": "affected",
"version": "3.15.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.14.23",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.14.22",
"status": "affected",
"version": "3.14.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ahacker1"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to another user\u2019s repository migration export due to a missing authorization check in the repository migration upload endpoint. By supplying the migration identifier, an attacker could overwrite or replace a victim\u2019s migration archive, potentially causing victims to download attacker-controlled repository data during migration restores or automated imports. An attacker would require authentication to the victim\u0027s GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.2, 3.18.5, 3.17.11, 3.16.14, 3.15.18, 3.14.23. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to another user\u2019s repository migration export due to a missing authorization check in the repository migration upload endpoint. By supplying the migration identifier, an attacker could overwrite or replace a victim\u2019s migration archive, potentially causing victims to download attacker-controlled repository data during migration restores or automated imports. An attacker would require authentication to the victim\u0027s GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.2, 3.18.5, 3.17.11, 3.16.14, 3.15.18, 3.14.23. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:42:07.180Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.5"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.11"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.14"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.18"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.23"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization Check in GitHub Enterprise Server Allows Unauthorized Uploads to Repository Migration Exports",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2026-1355",
"datePublished": "2026-02-18T20:42:07.180Z",
"dateReserved": "2026-01-22T19:14:46.710Z",
"dateUpdated": "2026-02-20T19:36:28.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0573 (GCVE-0-2026-0573)
Vulnerability from nvd – Published: 2026-02-18 20:37 – Updated: 2026-02-18 21:20
VLAI?
Title
Improper Handling of HTTP Redirects vulnerability was identified in GitHub Enterprise Server that allowed leaking of authorization token and enabled remote code execution
Summary
An URL redirection vulnerability was identified in GitHub Enterprise Server that allowed attacker-controlled redirects to leak sensitive authorization tokens. The repository_pages API insecurely followed HTTP redirects when fetching artifact URLs, preserving the authorization header containing a privileged JWT. An authenticated user could redirect these requests to an attacker-controlled domain, exfiltrate the Actions.ManageOrgs JWT, and leverage it for potential remote code execution. Attackers would require access to the target GitHub Enterprise Server instance and the ability to exploit a legacy redirect to an attacker-controlled domain. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19 and was fixed in versions 3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, and 3.14.22. This vulnerability was reported via the GitHub Bug Bounty program.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.14 , ≤ 3.14.21
(semver)
Affected: 3.15 , ≤ 3.15.16 (semver) Affected: 3.16 , ≤ 3.16.12 (semver) Affected: 3.17 , ≤ 3.17.9 (semver) Affected: 3.18 , ≤ 3.18.3 (semver) Affected: 3.19 , ≤ 3.19.1 (semver) |
Credits
R31n
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0573",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T21:18:26.120107Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T21:20:02.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.14.22",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.14.21",
"status": "affected",
"version": "3.14",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.15.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.15.16",
"status": "affected",
"version": "3.15",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.16.13",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.16.12",
"status": "affected",
"version": "3.16",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.9",
"status": "affected",
"version": "3.17",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.18.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.18.3",
"status": "affected",
"version": "3.18",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.19.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.19.1",
"status": "affected",
"version": "3.19",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "R31n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(129, 139, 152, 0.12);\"\u003eAn URL redirection vulnerability was identified in GitHub Enterprise Server that allowed attacker-controlled redirects to leak sensitive authorization tokens. The repository_pages API insecurely followed HTTP redirects when fetching artifact URLs, preserving the authorization header containing a privileged JWT. An authenticated user could redirect these requests to an attacker-controlled domain, exfiltrate the Actions.ManageOrgs JWT, and leverage it for potential remote code execution. Attackers would require access to the target GitHub Enterprise Server instance and the ability to exploit a legacy redirect to an attacker-controlled domain. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19 and was fixed in versions 3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, and 3.14.22. This vulnerability was reported via the GitHub Bug Bounty program.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "An URL redirection vulnerability was identified in GitHub Enterprise Server that allowed attacker-controlled redirects to leak sensitive authorization tokens. The repository_pages API insecurely followed HTTP redirects when fetching artifact URLs, preserving the authorization header containing a privileged JWT. An authenticated user could redirect these requests to an attacker-controlled domain, exfiltrate the Actions.ManageOrgs JWT, and leverage it for potential remote code execution. Attackers would require access to the target GitHub Enterprise Server instance and the ability to exploit a legacy redirect to an attacker-controlled domain. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19 and was fixed in versions 3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, and 3.14.22. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"impacts": [
{
"capecId": "CAPEC-178",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-178 Cross-Site Flashing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:37:39.601Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.22"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.17"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.13"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.10"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.4"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Handling of HTTP Redirects vulnerability was identified in GitHub Enterprise Server that allowed leaking of authorization token and enabled remote code execution",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2026-0573",
"datePublished": "2026-02-18T20:37:39.601Z",
"dateReserved": "2026-01-02T16:56:23.289Z",
"dateUpdated": "2026-02-18T21:20:02.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13744 (GCVE-0-2025-13744)
Vulnerability from nvd – Published: 2026-01-06 20:44 – Updated: 2026-01-06 21:02
VLAI?
Title
Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed rendering of malicious HTML
Summary
An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of milestones, issues, pull requests, or similar entities that are rendered in the vulnerable filter/search components. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.1, and 3.18.2, 3.17.8, 3.16.11, 3.15.15, and 3.14.20. This vulnerability was reported via the GitHub Bug Bounty program.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.14.0 , ≤ 3.14.19
(semver)
Affected: 3.15.0 , ≤ 3.15.14 (semver) Affected: 3.16.0 , ≤ 3.16.10 (semver) Affected: 3.17.0 , ≤ 3.17.7 (semver) Affected: 3.18.0 , ≤ 3.18.1 (semver) Affected: 3.19 , ≤ 3.19.0 (semver) |
Credits
Roshan Kudave
Johan Carlsson
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13744",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T21:02:19.515512Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T21:02:33.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.14.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.14.19",
"status": "affected",
"version": "3.14.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.15.15",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.15.14",
"status": "affected",
"version": "3.15.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.16.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.16.10",
"status": "affected",
"version": "3.16.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.7",
"status": "affected",
"version": "3.17.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.18.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.18.1",
"status": "affected",
"version": "3.18.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.19.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.19.0",
"status": "affected",
"version": "3.19",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Roshan Kudave"
},
{
"lang": "en",
"type": "finder",
"value": "Johan Carlsson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of milestones, issues, pull requests, or similar entities that are rendered in the vulnerable filter/search components. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.1, and 3.18.2, 3.17.8, 3.16.11, 3.15.15, and 3.14.20. This vulnerability was reported via the GitHub Bug Bounty program. \u003cbr\u003e\u003cbr\u003e"
}
],
"value": "An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of milestones, issues, pull requests, or similar entities that are rendered in the vulnerable filter/search components. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.1, and 3.18.2, 3.17.8, 3.16.11, 3.15.15, and 3.14.20. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T20:44:02.712Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.20"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.15"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.11"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.8"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.2"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed rendering of malicious HTML",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2025-13744",
"datePublished": "2026-01-06T20:44:02.712Z",
"dateReserved": "2025-11-26T14:34:22.118Z",
"dateUpdated": "2026-01-06T21:02:33.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14046 (GCVE-0-2025-14046)
Vulnerability from nvd – Published: 2025-12-11 17:52 – Updated: 2025-12-11 18:48
VLAI?
Title
Insufficient HTML Sanitization Allows User-Controlled DOM Elements to Overwrite Server-Initialized Data Islands and Trigger Unintended Server-Side POST Requests
Summary
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Unaffected:
3.19.0
(semver)
Affected: 3.18.0 , ≤ 3.18.2 (semver) Affected: 3.17.0 , ≤ 3.17.8 (semver) Affected: 3.16.0 , ≤ 3.16.11 (semver) Affected: 3.15.0 , ≤ 3.15.15 (semver) Affected: 3.14.0 , ≤ 3.14.20 (semver) |
Credits
André Storfjord Kristiansen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14046",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-11T18:46:58.599003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T18:48:17.846Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"status": "unaffected",
"version": "3.19.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.18.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.18.2",
"status": "affected",
"version": "3.18.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.8",
"status": "affected",
"version": "3.17.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.16.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.16.11",
"status": "affected",
"version": "3.16.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.15.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.15.15",
"status": "affected",
"version": "3.15.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.14.21",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.14.20",
"status": "affected",
"version": "3.14.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andr\u00e9 Storfjord Kristiansen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21."
}
],
"value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-588 DOM-Based XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T17:52:05.353Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.3"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.9"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.12"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.16"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.21"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insufficient HTML Sanitization Allows User-Controlled DOM Elements to Overwrite Server-Initialized Data Islands and Trigger Unintended Server-Side POST Requests",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2025-14046",
"datePublished": "2025-12-11T17:52:05.353Z",
"dateReserved": "2025-12-04T16:22:53.626Z",
"dateUpdated": "2025-12-11T18:48:17.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11578 (GCVE-0-2025-11578)
Vulnerability from nvd – Published: 2025-11-10 22:44 – Updated: 2025-12-02 20:08
VLAI?
Title
Pre-Receive Hook Path Collision Vulnerability in GitHub Enterprise Server Allowing Privilege Escalation
Summary
A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys—thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.20, 3.15.15, 3.16.11, 3.17.8, 3.18.2. This vulnerability was reported via the GitHub Bug Bounty program.
Severity ?
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.14 , ≤ 3.14.19
(semver)
Affected: 3.15 , ≤ 3.15.14 (semver) Affected: 3.16 , ≤ 3.16.10 (semver) Affected: 3.17 , ≤ 3.17.7 (semver) Affected: 3.18 , ≤ 3.18.1 (semver) |
Credits
inspector-ambitious
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11578",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T17:33:22.593181Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T20:12:10.957Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.14.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.14.19",
"status": "affected",
"version": "3.14",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.15.15",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.15.14",
"status": "affected",
"version": "3.15",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.16.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.16.10",
"status": "affected",
"version": "3.16",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.7",
"status": "affected",
"version": "3.17",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.18.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.18.1",
"status": "affected",
"version": "3.18",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "inspector-ambitious"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user\u2019s authorized keys\u2014thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.20, 3.15.15, 3.16.11, 3.17.8, 3.18.2. This vulnerability was reported via the GitHub Bug Bounty program.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user\u2019s authorized keys\u2014thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.20, 3.15.15, 3.16.11, 3.17.8, 3.18.2. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T20:08:21.684Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.20"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.15"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.11"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.8"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Pre-Receive Hook Path Collision Vulnerability in GitHub Enterprise Server Allowing Privilege Escalation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2025-11578",
"datePublished": "2025-11-10T22:44:33.200Z",
"dateReserved": "2025-10-10T07:00:07.064Z",
"dateUpdated": "2025-12-02T20:08:21.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11892 (GCVE-0-2025-11892)
Vulnerability from nvd – Published: 2025-11-10 22:43 – Updated: 2025-11-12 20:12
VLAI?
Title
DOM-based Cross-Site Scripting was identified in GitHub Enterprise Server Issues search allows privilege escalation and unauthorized workflow triggers
Summary
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead to privilege escalation and unauthorized workflow triggers. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a user, while operating in sudo mode, to click on a crafted malicious link to perform actions that require elevated privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.1, 3.17.7, 3.16.10, 3.15.14, 3.14.19.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.18.0 , < 3.18.1
(semver)
Affected: 3.17.0 , ≤ 3.17.6 (semver) Affected: 3.16.0 , ≤ 3.16.9 (semver) Affected: 3.15.0 , ≤ 3.15.13 (semver) Affected: 3.14.0 , ≤ 3.14.18 (semver) |
Credits
André Storfjord Kristiansen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11892",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T17:33:39.031235Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T20:12:21.125Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.18.1",
"status": "unaffected"
}
],
"lessThan": "3.18.1",
"status": "affected",
"version": "3.18.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.6",
"status": "affected",
"version": "3.17.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.16.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.16.9",
"status": "affected",
"version": "3.16.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.15.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.15.13",
"status": "affected",
"version": "3.15.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.14.19",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.14.18",
"status": "affected",
"version": "3.14.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andr\u00e9 Storfjord Kristiansen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead to privilege escalation and unauthorized workflow triggers. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a user, while operating in sudo mode, to click on a crafted malicious link to perform actions that require elevated privileges.\u00a0This vulnerability affected all versions of GitHub Enterprise Server prior to\u00a03.18.1, 3.17.7, 3.16.10, 3.15.14, 3.14.19."
}
],
"value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead to privilege escalation and unauthorized workflow triggers. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a user, while operating in sudo mode, to click on a crafted malicious link to perform actions that require elevated privileges.\u00a0This vulnerability affected all versions of GitHub Enterprise Server prior to\u00a03.18.1, 3.17.7, 3.16.10, 3.15.14, 3.14.19."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-588 DOM-Based XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T22:43:41.790Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.1"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.7"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.10"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.14"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.19"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "DOM-based Cross-Site Scripting was identified in GitHub Enterprise Server Issues search allows privilege escalation and unauthorized workflow triggers",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2025-11892",
"datePublished": "2025-11-10T22:43:41.790Z",
"dateReserved": "2025-10-16T19:22:23.359Z",
"dateUpdated": "2025-11-12T20:12:21.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8447 (GCVE-0-2025-8447)
Vulnerability from nvd – Published: 2025-08-26 01:42 – Updated: 2025-08-26 18:34
VLAI?
Title
Incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed read-only access
Summary
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories. To exploit this vulnerability, an attacker needed to know the name of a private repository along with its branches, tags, or commit SHAs that they could use to trigger compare/diff functionality and retrieve limited code without proper authorization. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18, and was fixed in versions 3.14.17, 3.15.12, 3.16.8 and 3.17.5. This vulnerability was reported via the GitHub Bug Bounty program.
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.14 , ≤ 3.14.16
(semver)
Affected: 3.15 , ≤ 3.15.11 (semver) Affected: 3.16 , ≤ 3.16.7 (semver) Affected: 3.17 , ≤ 3.17.4 (semver) |
Credits
furbreeze
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8447",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-26T18:34:46.734207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T18:34:59.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.14.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.14.16",
"status": "affected",
"version": "3.14",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.15.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.15.11",
"status": "affected",
"version": "3.15",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.16.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.16.7",
"status": "affected",
"version": "3.16",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.4",
"status": "affected",
"version": "3.17",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "furbreeze"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories. To exploit this vulnerability, an attacker needed to know the name of a private repository along with its branches, tags, or commit SHAs that they could use to trigger compare/diff functionality and retrieve limited code without proper authorization. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18, and was fixed in versions 3.14.17, 3.15.12, 3.16.8 and 3.17.5. This vulnerability was reported via the GitHub Bug Bounty program.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "An improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories. To exploit this vulnerability, an attacker needed to know the name of a private repository along with its branches, tags, or commit SHAs that they could use to trigger compare/diff functionality and retrieve limited code without proper authorization. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18, and was fixed in versions 3.14.17, 3.15.12, 3.16.8 and 3.17.5. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T01:42:37.424Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.17"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.12"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.8"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed read-only access",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2025-8447",
"datePublished": "2025-08-26T01:42:37.424Z",
"dateReserved": "2025-07-31T20:15:16.466Z",
"dateUpdated": "2025-08-26T18:34:59.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6981 (GCVE-0-2025-6981)
Vulnerability from nvd – Published: 2025-07-15 20:44 – Updated: 2025-07-16 19:04
VLAI?
Title
Incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized read-only access
Summary
An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.14.0 , < 3.14.15
(semver)
Affected: 3.15.0 , < 3.15.10 (semver) Affected: 3.16.0 , < 3.16.6 (semver) Affected: 3.17.0 , < 3.17.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6981",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T19:04:01.443444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T19:04:18.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.14.15",
"status": "unaffected"
}
],
"lessThan": "3.14.15",
"status": "affected",
"version": "3.14.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.15.10",
"status": "unaffected"
}
],
"lessThan": "3.15.10",
"status": "affected",
"version": "3.15.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.16.6",
"status": "unaffected"
}
],
"lessThan": "3.16.6",
"status": "affected",
"version": "3.16.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.3",
"status": "unaffected"
}
],
"lessThan": "3.17.3",
"status": "affected",
"version": "3.17.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15,\u0026nbsp;3.15.10,\u0026nbsp;3.16.6 and\u0026nbsp;3.17.3"
}
],
"value": "An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15,\u00a03.15.10,\u00a03.16.6 and\u00a03.17.3"
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T20:44:30.022Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.15"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.10"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.6"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized read-only access",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2025-6981",
"datePublished": "2025-07-15T20:44:30.022Z",
"dateReserved": "2025-07-01T18:28:24.614Z",
"dateUpdated": "2025-07-16T19:04:18.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6600 (GCVE-0-2025-6600)
Vulnerability from nvd – Published: 2025-07-01 18:56 – Updated: 2025-07-01 19:38
VLAI?
Title
GitHub Enterprise Server Information Disclosure Vulnerability Exposes Private Repository Names via Search API
Summary
An exposure of sensitive information vulnerability was identified in GitHub Enterprise Server that could allow an attacker to disclose the names of private repositories within an organization. This issue could be exploited by leveraging a user-to-server token with no scopes via the Search API endpoint. Successful exploitation required an organization administrator to install a malicious GitHub App in the organization’s repositories. This vulnerability impacted only GitHub Enterprise Server version 3.17 and was addressed in version 3.17.2. The vulnerability was reported through the GitHub Bug Bounty program.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | GitHub Enterprise Server |
Affected:
3.17.0 , ≤ 3.17.1
(semver)
|
Credits
Kyle Carberry
Ammar Bandukwala
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6600",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T19:38:34.417355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T19:38:49.147Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GitHub Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.17.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.1",
"status": "affected",
"version": "3.17.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kyle Carberry"
},
{
"lang": "en",
"type": "finder",
"value": "Ammar Bandukwala"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn exposure of sensitive information vulnerability was identified in GitHub Enterprise Server that could allow an attacker to disclose the names of private repositories within an organization. This issue could be exploited by leveraging a user-to-server token with no scopes via the Search API endpoint. Successful exploitation required an organization administrator to install a malicious GitHub App in the organization\u2019s repositories. This vulnerability impacted only GitHub Enterprise Server version 3.17 and was addressed in version 3.17.2. The vulnerability was reported through the GitHub Bug Bounty program.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "An exposure of sensitive information vulnerability was identified in GitHub Enterprise Server that could allow an attacker to disclose the names of private repositories within an organization. This issue could be exploited by leveraging a user-to-server token with no scopes via the Search API endpoint. Successful exploitation required an organization administrator to install a malicious GitHub App in the organization\u2019s repositories. This vulnerability impacted only GitHub Enterprise Server version 3.17 and was addressed in version 3.17.2. The vulnerability was reported through the GitHub Bug Bounty program."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:56:45.625Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "GitHub Enterprise Server Information Disclosure Vulnerability Exposes Private Repository Names via Search API",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2025-6600",
"datePublished": "2025-07-01T18:56:45.625Z",
"dateReserved": "2025-06-25T02:29:00.545Z",
"dateUpdated": "2025-07-01T19:38:49.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-1999 (GCVE-0-2026-1999)
Vulnerability from cvelistv5 – Published: 2026-02-18 20:44 – Updated: 2026-02-19 14:32
VLAI?
Title
Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized merging of pull requests
Summary
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_auto_merge mutation for pull requests. This issue only affected repositories that allow forking as the attack relies on opening a pull request from an attacker-controlled fork into the target repository. Exploitation was only possible in specific scenarios. It required a clean pull request status and only applied to branches without branch protection rules enabled. This vulnerability affected GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was fixed in versions 3.19.2, 3.18.5, and 3.17.11. This vulnerability was reported via the GitHub Bug Bounty program.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.17.0 , < 3.17.11
(semver)
Affected: 3.18.0 , < 3.18.5 (semver) Affected: 3.19.0 , < 3.19.2 (semver) |
Credits
ahacker1
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1999",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T14:31:31.276186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T14:32:12.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.17.11",
"status": "unaffected"
}
],
"lessThan": "3.17.11",
"status": "affected",
"version": "3.17.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.18.5",
"status": "unaffected"
}
],
"lessThan": "3.18.5",
"status": "affected",
"version": "3.18.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.19.2",
"status": "unaffected"
}
],
"lessThan": "3.19.2",
"status": "affected",
"version": "3.19.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ahacker1"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_auto_merge mutation for pull requests. This issue only affected repositories that allow forking as the attack relies on opening a pull request from an attacker-controlled fork into the target repository. Exploitation was only possible in specific scenarios. It required a clean pull request status and only applied to branches without branch protection rules enabled. This vulnerability affected GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was fixed in versions 3.19.2, 3.18.5, and 3.17.11. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_auto_merge mutation for pull requests. This issue only affected repositories that allow forking as the attack relies on opening a pull request from an attacker-controlled fork into the target repository. Exploitation was only possible in specific scenarios. It required a clean pull request status and only applied to branches without branch protection rules enabled. This vulnerability affected GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was fixed in versions 3.19.2, 3.18.5, and 3.17.11. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:44:51.396Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.11"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.5"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized merging of pull requests",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2026-1999",
"datePublished": "2026-02-18T20:44:51.396Z",
"dateReserved": "2026-02-05T17:14:39.098Z",
"dateUpdated": "2026-02-19T14:32:12.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1355 (GCVE-0-2026-1355)
Vulnerability from cvelistv5 – Published: 2026-02-18 20:42 – Updated: 2026-02-20 19:36
VLAI?
Title
Missing Authorization Check in GitHub Enterprise Server Allows Unauthorized Uploads to Repository Migration Exports
Summary
A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to another user’s repository migration export due to a missing authorization check in the repository migration upload endpoint. By supplying the migration identifier, an attacker could overwrite or replace a victim’s migration archive, potentially causing victims to download attacker-controlled repository data during migration restores or automated imports. An attacker would require authentication to the victim's GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.2, 3.18.5, 3.17.11, 3.16.14, 3.15.18, 3.14.23. This vulnerability was reported via the GitHub Bug Bounty program.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.19.0 , ≤ 3.19.1
(semver)
Affected: 3.18.0 , ≤ 3.18.4 (semver) Affected: 3.17.0 , ≤ 3.17.10 (semver) Affected: 3.16.0 , ≤ 3.16.13 (semver) Affected: 3.15.0 , ≤ 3.15.17 (semver) Affected: 3.14.0 , ≤ 3.14.22 (semver) |
Credits
ahacker1
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1355",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T19:36:17.574271Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T19:36:28.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.19.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.19.1",
"status": "affected",
"version": "3.19.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.18.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.18.4",
"status": "affected",
"version": "3.18.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.10",
"status": "affected",
"version": "3.17.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.16.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.16.13",
"status": "affected",
"version": "3.16.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.15.18",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.15.17",
"status": "affected",
"version": "3.15.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.14.23",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.14.22",
"status": "affected",
"version": "3.14.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ahacker1"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to another user\u2019s repository migration export due to a missing authorization check in the repository migration upload endpoint. By supplying the migration identifier, an attacker could overwrite or replace a victim\u2019s migration archive, potentially causing victims to download attacker-controlled repository data during migration restores or automated imports. An attacker would require authentication to the victim\u0027s GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.2, 3.18.5, 3.17.11, 3.16.14, 3.15.18, 3.14.23. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to another user\u2019s repository migration export due to a missing authorization check in the repository migration upload endpoint. By supplying the migration identifier, an attacker could overwrite or replace a victim\u2019s migration archive, potentially causing victims to download attacker-controlled repository data during migration restores or automated imports. An attacker would require authentication to the victim\u0027s GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.2, 3.18.5, 3.17.11, 3.16.14, 3.15.18, 3.14.23. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:42:07.180Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.5"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.11"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.14"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.18"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.23"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization Check in GitHub Enterprise Server Allows Unauthorized Uploads to Repository Migration Exports",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2026-1355",
"datePublished": "2026-02-18T20:42:07.180Z",
"dateReserved": "2026-01-22T19:14:46.710Z",
"dateUpdated": "2026-02-20T19:36:28.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0573 (GCVE-0-2026-0573)
Vulnerability from cvelistv5 – Published: 2026-02-18 20:37 – Updated: 2026-02-18 21:20
VLAI?
Title
Improper Handling of HTTP Redirects vulnerability was identified in GitHub Enterprise Server that allowed leaking of authorization token and enabled remote code execution
Summary
An URL redirection vulnerability was identified in GitHub Enterprise Server that allowed attacker-controlled redirects to leak sensitive authorization tokens. The repository_pages API insecurely followed HTTP redirects when fetching artifact URLs, preserving the authorization header containing a privileged JWT. An authenticated user could redirect these requests to an attacker-controlled domain, exfiltrate the Actions.ManageOrgs JWT, and leverage it for potential remote code execution. Attackers would require access to the target GitHub Enterprise Server instance and the ability to exploit a legacy redirect to an attacker-controlled domain. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19 and was fixed in versions 3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, and 3.14.22. This vulnerability was reported via the GitHub Bug Bounty program.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.14 , ≤ 3.14.21
(semver)
Affected: 3.15 , ≤ 3.15.16 (semver) Affected: 3.16 , ≤ 3.16.12 (semver) Affected: 3.17 , ≤ 3.17.9 (semver) Affected: 3.18 , ≤ 3.18.3 (semver) Affected: 3.19 , ≤ 3.19.1 (semver) |
Credits
R31n
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0573",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T21:18:26.120107Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T21:20:02.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.14.22",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.14.21",
"status": "affected",
"version": "3.14",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.15.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.15.16",
"status": "affected",
"version": "3.15",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.16.13",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.16.12",
"status": "affected",
"version": "3.16",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.9",
"status": "affected",
"version": "3.17",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.18.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.18.3",
"status": "affected",
"version": "3.18",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.19.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.19.1",
"status": "affected",
"version": "3.19",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "R31n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(129, 139, 152, 0.12);\"\u003eAn URL redirection vulnerability was identified in GitHub Enterprise Server that allowed attacker-controlled redirects to leak sensitive authorization tokens. The repository_pages API insecurely followed HTTP redirects when fetching artifact URLs, preserving the authorization header containing a privileged JWT. An authenticated user could redirect these requests to an attacker-controlled domain, exfiltrate the Actions.ManageOrgs JWT, and leverage it for potential remote code execution. Attackers would require access to the target GitHub Enterprise Server instance and the ability to exploit a legacy redirect to an attacker-controlled domain. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19 and was fixed in versions 3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, and 3.14.22. This vulnerability was reported via the GitHub Bug Bounty program.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "An URL redirection vulnerability was identified in GitHub Enterprise Server that allowed attacker-controlled redirects to leak sensitive authorization tokens. The repository_pages API insecurely followed HTTP redirects when fetching artifact URLs, preserving the authorization header containing a privileged JWT. An authenticated user could redirect these requests to an attacker-controlled domain, exfiltrate the Actions.ManageOrgs JWT, and leverage it for potential remote code execution. Attackers would require access to the target GitHub Enterprise Server instance and the ability to exploit a legacy redirect to an attacker-controlled domain. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19 and was fixed in versions 3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, and 3.14.22. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"impacts": [
{
"capecId": "CAPEC-178",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-178 Cross-Site Flashing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:37:39.601Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.22"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.17"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.13"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.10"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.4"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Handling of HTTP Redirects vulnerability was identified in GitHub Enterprise Server that allowed leaking of authorization token and enabled remote code execution",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2026-0573",
"datePublished": "2026-02-18T20:37:39.601Z",
"dateReserved": "2026-01-02T16:56:23.289Z",
"dateUpdated": "2026-02-18T21:20:02.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13744 (GCVE-0-2025-13744)
Vulnerability from cvelistv5 – Published: 2026-01-06 20:44 – Updated: 2026-01-06 21:02
VLAI?
Title
Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed rendering of malicious HTML
Summary
An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of milestones, issues, pull requests, or similar entities that are rendered in the vulnerable filter/search components. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.1, and 3.18.2, 3.17.8, 3.16.11, 3.15.15, and 3.14.20. This vulnerability was reported via the GitHub Bug Bounty program.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.14.0 , ≤ 3.14.19
(semver)
Affected: 3.15.0 , ≤ 3.15.14 (semver) Affected: 3.16.0 , ≤ 3.16.10 (semver) Affected: 3.17.0 , ≤ 3.17.7 (semver) Affected: 3.18.0 , ≤ 3.18.1 (semver) Affected: 3.19 , ≤ 3.19.0 (semver) |
Credits
Roshan Kudave
Johan Carlsson
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13744",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T21:02:19.515512Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T21:02:33.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.14.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.14.19",
"status": "affected",
"version": "3.14.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.15.15",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.15.14",
"status": "affected",
"version": "3.15.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.16.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.16.10",
"status": "affected",
"version": "3.16.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.7",
"status": "affected",
"version": "3.17.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.18.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.18.1",
"status": "affected",
"version": "3.18.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.19.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.19.0",
"status": "affected",
"version": "3.19",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Roshan Kudave"
},
{
"lang": "en",
"type": "finder",
"value": "Johan Carlsson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of milestones, issues, pull requests, or similar entities that are rendered in the vulnerable filter/search components. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.1, and 3.18.2, 3.17.8, 3.16.11, 3.15.15, and 3.14.20. This vulnerability was reported via the GitHub Bug Bounty program. \u003cbr\u003e\u003cbr\u003e"
}
],
"value": "An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of milestones, issues, pull requests, or similar entities that are rendered in the vulnerable filter/search components. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.1, and 3.18.2, 3.17.8, 3.16.11, 3.15.15, and 3.14.20. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T20:44:02.712Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.20"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.15"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.11"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.8"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.2"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed rendering of malicious HTML",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2025-13744",
"datePublished": "2026-01-06T20:44:02.712Z",
"dateReserved": "2025-11-26T14:34:22.118Z",
"dateUpdated": "2026-01-06T21:02:33.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14046 (GCVE-0-2025-14046)
Vulnerability from cvelistv5 – Published: 2025-12-11 17:52 – Updated: 2025-12-11 18:48
VLAI?
Title
Insufficient HTML Sanitization Allows User-Controlled DOM Elements to Overwrite Server-Initialized Data Islands and Trigger Unintended Server-Side POST Requests
Summary
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Unaffected:
3.19.0
(semver)
Affected: 3.18.0 , ≤ 3.18.2 (semver) Affected: 3.17.0 , ≤ 3.17.8 (semver) Affected: 3.16.0 , ≤ 3.16.11 (semver) Affected: 3.15.0 , ≤ 3.15.15 (semver) Affected: 3.14.0 , ≤ 3.14.20 (semver) |
Credits
André Storfjord Kristiansen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14046",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-11T18:46:58.599003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T18:48:17.846Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"status": "unaffected",
"version": "3.19.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.18.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.18.2",
"status": "affected",
"version": "3.18.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.8",
"status": "affected",
"version": "3.17.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.16.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.16.11",
"status": "affected",
"version": "3.16.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.15.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.15.15",
"status": "affected",
"version": "3.15.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.14.21",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.14.20",
"status": "affected",
"version": "3.14.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andr\u00e9 Storfjord Kristiansen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21."
}
],
"value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-588 DOM-Based XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T17:52:05.353Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.3"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.9"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.12"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.16"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.21"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insufficient HTML Sanitization Allows User-Controlled DOM Elements to Overwrite Server-Initialized Data Islands and Trigger Unintended Server-Side POST Requests",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2025-14046",
"datePublished": "2025-12-11T17:52:05.353Z",
"dateReserved": "2025-12-04T16:22:53.626Z",
"dateUpdated": "2025-12-11T18:48:17.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11578 (GCVE-0-2025-11578)
Vulnerability from cvelistv5 – Published: 2025-11-10 22:44 – Updated: 2025-12-02 20:08
VLAI?
Title
Pre-Receive Hook Path Collision Vulnerability in GitHub Enterprise Server Allowing Privilege Escalation
Summary
A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys—thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.20, 3.15.15, 3.16.11, 3.17.8, 3.18.2. This vulnerability was reported via the GitHub Bug Bounty program.
Severity ?
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.14 , ≤ 3.14.19
(semver)
Affected: 3.15 , ≤ 3.15.14 (semver) Affected: 3.16 , ≤ 3.16.10 (semver) Affected: 3.17 , ≤ 3.17.7 (semver) Affected: 3.18 , ≤ 3.18.1 (semver) |
Credits
inspector-ambitious
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11578",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T17:33:22.593181Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T20:12:10.957Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.14.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.14.19",
"status": "affected",
"version": "3.14",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.15.15",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.15.14",
"status": "affected",
"version": "3.15",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.16.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.16.10",
"status": "affected",
"version": "3.16",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.7",
"status": "affected",
"version": "3.17",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.18.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.18.1",
"status": "affected",
"version": "3.18",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "inspector-ambitious"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user\u2019s authorized keys\u2014thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.20, 3.15.15, 3.16.11, 3.17.8, 3.18.2. This vulnerability was reported via the GitHub Bug Bounty program.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user\u2019s authorized keys\u2014thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.20, 3.15.15, 3.16.11, 3.17.8, 3.18.2. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T20:08:21.684Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.20"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.15"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.11"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.8"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Pre-Receive Hook Path Collision Vulnerability in GitHub Enterprise Server Allowing Privilege Escalation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2025-11578",
"datePublished": "2025-11-10T22:44:33.200Z",
"dateReserved": "2025-10-10T07:00:07.064Z",
"dateUpdated": "2025-12-02T20:08:21.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11892 (GCVE-0-2025-11892)
Vulnerability from cvelistv5 – Published: 2025-11-10 22:43 – Updated: 2025-11-12 20:12
VLAI?
Title
DOM-based Cross-Site Scripting was identified in GitHub Enterprise Server Issues search allows privilege escalation and unauthorized workflow triggers
Summary
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead to privilege escalation and unauthorized workflow triggers. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a user, while operating in sudo mode, to click on a crafted malicious link to perform actions that require elevated privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.1, 3.17.7, 3.16.10, 3.15.14, 3.14.19.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.18.0 , < 3.18.1
(semver)
Affected: 3.17.0 , ≤ 3.17.6 (semver) Affected: 3.16.0 , ≤ 3.16.9 (semver) Affected: 3.15.0 , ≤ 3.15.13 (semver) Affected: 3.14.0 , ≤ 3.14.18 (semver) |
Credits
André Storfjord Kristiansen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11892",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T17:33:39.031235Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T20:12:21.125Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.18.1",
"status": "unaffected"
}
],
"lessThan": "3.18.1",
"status": "affected",
"version": "3.18.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.6",
"status": "affected",
"version": "3.17.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.16.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.16.9",
"status": "affected",
"version": "3.16.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.15.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.15.13",
"status": "affected",
"version": "3.15.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.14.19",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.14.18",
"status": "affected",
"version": "3.14.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andr\u00e9 Storfjord Kristiansen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead to privilege escalation and unauthorized workflow triggers. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a user, while operating in sudo mode, to click on a crafted malicious link to perform actions that require elevated privileges.\u00a0This vulnerability affected all versions of GitHub Enterprise Server prior to\u00a03.18.1, 3.17.7, 3.16.10, 3.15.14, 3.14.19."
}
],
"value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead to privilege escalation and unauthorized workflow triggers. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a user, while operating in sudo mode, to click on a crafted malicious link to perform actions that require elevated privileges.\u00a0This vulnerability affected all versions of GitHub Enterprise Server prior to\u00a03.18.1, 3.17.7, 3.16.10, 3.15.14, 3.14.19."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-588 DOM-Based XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T22:43:41.790Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.1"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.7"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.10"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.14"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.19"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "DOM-based Cross-Site Scripting was identified in GitHub Enterprise Server Issues search allows privilege escalation and unauthorized workflow triggers",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2025-11892",
"datePublished": "2025-11-10T22:43:41.790Z",
"dateReserved": "2025-10-16T19:22:23.359Z",
"dateUpdated": "2025-11-12T20:12:21.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8447 (GCVE-0-2025-8447)
Vulnerability from cvelistv5 – Published: 2025-08-26 01:42 – Updated: 2025-08-26 18:34
VLAI?
Title
Incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed read-only access
Summary
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories. To exploit this vulnerability, an attacker needed to know the name of a private repository along with its branches, tags, or commit SHAs that they could use to trigger compare/diff functionality and retrieve limited code without proper authorization. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18, and was fixed in versions 3.14.17, 3.15.12, 3.16.8 and 3.17.5. This vulnerability was reported via the GitHub Bug Bounty program.
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.14 , ≤ 3.14.16
(semver)
Affected: 3.15 , ≤ 3.15.11 (semver) Affected: 3.16 , ≤ 3.16.7 (semver) Affected: 3.17 , ≤ 3.17.4 (semver) |
Credits
furbreeze
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8447",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-26T18:34:46.734207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T18:34:59.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.14.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.14.16",
"status": "affected",
"version": "3.14",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.15.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.15.11",
"status": "affected",
"version": "3.15",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.16.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.16.7",
"status": "affected",
"version": "3.16",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.4",
"status": "affected",
"version": "3.17",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "furbreeze"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories. To exploit this vulnerability, an attacker needed to know the name of a private repository along with its branches, tags, or commit SHAs that they could use to trigger compare/diff functionality and retrieve limited code without proper authorization. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18, and was fixed in versions 3.14.17, 3.15.12, 3.16.8 and 3.17.5. This vulnerability was reported via the GitHub Bug Bounty program.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "An improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories. To exploit this vulnerability, an attacker needed to know the name of a private repository along with its branches, tags, or commit SHAs that they could use to trigger compare/diff functionality and retrieve limited code without proper authorization. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18, and was fixed in versions 3.14.17, 3.15.12, 3.16.8 and 3.17.5. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T01:42:37.424Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.17"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.12"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.8"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed read-only access",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2025-8447",
"datePublished": "2025-08-26T01:42:37.424Z",
"dateReserved": "2025-07-31T20:15:16.466Z",
"dateUpdated": "2025-08-26T18:34:59.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6981 (GCVE-0-2025-6981)
Vulnerability from cvelistv5 – Published: 2025-07-15 20:44 – Updated: 2025-07-16 19:04
VLAI?
Title
Incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized read-only access
Summary
An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.14.0 , < 3.14.15
(semver)
Affected: 3.15.0 , < 3.15.10 (semver) Affected: 3.16.0 , < 3.16.6 (semver) Affected: 3.17.0 , < 3.17.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6981",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T19:04:01.443444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T19:04:18.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.14.15",
"status": "unaffected"
}
],
"lessThan": "3.14.15",
"status": "affected",
"version": "3.14.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.15.10",
"status": "unaffected"
}
],
"lessThan": "3.15.10",
"status": "affected",
"version": "3.15.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.16.6",
"status": "unaffected"
}
],
"lessThan": "3.16.6",
"status": "affected",
"version": "3.16.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "3.17.3",
"status": "unaffected"
}
],
"lessThan": "3.17.3",
"status": "affected",
"version": "3.17.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15,\u0026nbsp;3.15.10,\u0026nbsp;3.16.6 and\u0026nbsp;3.17.3"
}
],
"value": "An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15,\u00a03.15.10,\u00a03.16.6 and\u00a03.17.3"
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T20:44:30.022Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.15"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.10"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.6"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized read-only access",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2025-6981",
"datePublished": "2025-07-15T20:44:30.022Z",
"dateReserved": "2025-07-01T18:28:24.614Z",
"dateUpdated": "2025-07-16T19:04:18.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6600 (GCVE-0-2025-6600)
Vulnerability from cvelistv5 – Published: 2025-07-01 18:56 – Updated: 2025-07-01 19:38
VLAI?
Title
GitHub Enterprise Server Information Disclosure Vulnerability Exposes Private Repository Names via Search API
Summary
An exposure of sensitive information vulnerability was identified in GitHub Enterprise Server that could allow an attacker to disclose the names of private repositories within an organization. This issue could be exploited by leveraging a user-to-server token with no scopes via the Search API endpoint. Successful exploitation required an organization administrator to install a malicious GitHub App in the organization’s repositories. This vulnerability impacted only GitHub Enterprise Server version 3.17 and was addressed in version 3.17.2. The vulnerability was reported through the GitHub Bug Bounty program.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GitHub | GitHub Enterprise Server |
Affected:
3.17.0 , ≤ 3.17.1
(semver)
|
Credits
Kyle Carberry
Ammar Bandukwala
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6600",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T19:38:34.417355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T19:38:49.147Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GitHub Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"changes": [
{
"at": "3.17.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.17.1",
"status": "affected",
"version": "3.17.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kyle Carberry"
},
{
"lang": "en",
"type": "finder",
"value": "Ammar Bandukwala"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn exposure of sensitive information vulnerability was identified in GitHub Enterprise Server that could allow an attacker to disclose the names of private repositories within an organization. This issue could be exploited by leveraging a user-to-server token with no scopes via the Search API endpoint. Successful exploitation required an organization administrator to install a malicious GitHub App in the organization\u2019s repositories. This vulnerability impacted only GitHub Enterprise Server version 3.17 and was addressed in version 3.17.2. The vulnerability was reported through the GitHub Bug Bounty program.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "An exposure of sensitive information vulnerability was identified in GitHub Enterprise Server that could allow an attacker to disclose the names of private repositories within an organization. This issue could be exploited by leveraging a user-to-server token with no scopes via the Search API endpoint. Successful exploitation required an organization administrator to install a malicious GitHub App in the organization\u2019s repositories. This vulnerability impacted only GitHub Enterprise Server version 3.17 and was addressed in version 3.17.2. The vulnerability was reported through the GitHub Bug Bounty program."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T18:56:45.625Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "GitHub Enterprise Server Information Disclosure Vulnerability Exposes Private Repository Names via Search API",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2025-6600",
"datePublished": "2025-07-01T18:56:45.625Z",
"dateReserved": "2025-06-25T02:29:00.545Z",
"dateUpdated": "2025-07-01T19:38:49.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2025-13744
Vulnerability from fkie_nvd - Published: 2026-01-06 21:15 - Updated: 2026-01-30 16:51
Severity ?
Summary
An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of milestones, issues, pull requests, or similar entities that are rendered in the vulnerable filter/search components. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.1, and 3.18.2, 3.17.8, 3.16.11, 3.15.15, and 3.14.20. This vulnerability was reported via the GitHub Bug Bounty program.
References
| URL | Tags | ||
|---|---|---|---|
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.20 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.15 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.11 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.8 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.2 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.1 | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | 3.19.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43EB11CA-6023-4B6E-824F-BC1E3B38BBC8",
"versionEndExcluding": "3.14.20",
"versionStartIncluding": "3.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6F3CBE73-32C5-4F1A-A660-3016FA77E633",
"versionEndExcluding": "3.15.15",
"versionStartIncluding": "3.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "754773B0-BDEC-497C-91A7-F542A74C4414",
"versionEndExcluding": "3.16.11",
"versionStartIncluding": "3.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5C3E38F9-7310-4901-90A8-C0BEAFA8A092",
"versionEndExcluding": "3.17.8",
"versionStartIncluding": "3.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9751597D-AD87-4C92-83EC-87D2474410C5",
"versionEndExcluding": "3.18.2",
"versionStartIncluding": "3.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:3.19.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4BDF43C3-88EC-4454-A5CE-399677AF5834",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of milestones, issues, pull requests, or similar entities that are rendered in the vulnerable filter/search components. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.1, and 3.18.2, 3.17.8, 3.16.11, 3.15.15, and 3.14.20. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"id": "CVE-2025-13744",
"lastModified": "2026-01-30T16:51:10.983",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "product-cna@github.com",
"type": "Secondary"
}
]
},
"published": "2026-01-06T21:15:41.933",
"references": [
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.20"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.15"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.11"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.8"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.2"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.1"
}
],
"sourceIdentifier": "product-cna@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "product-cna@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-14046
Vulnerability from fkie_nvd - Published: 2025-12-11 18:16 - Updated: 2025-12-19 19:47
Severity ?
Summary
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21.
References
| URL | Tags | ||
|---|---|---|---|
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.21 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.16 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.12 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.9 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.3 | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1EF86D06-BA41-42A4-B1AF-5398BB75D321",
"versionEndExcluding": "3.14.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EC5DF0C2-A9E5-46DC-8C09-F2FC55453734",
"versionEndExcluding": "3.15.16",
"versionStartIncluding": "3.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F6EAE627-E160-4656-AF99-554C807B3B3C",
"versionEndExcluding": "3.16.12",
"versionStartIncluding": "3.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B09055B-2885-4BD6-85A7-AEA22FBF98FD",
"versionEndExcluding": "3.17.9",
"versionStartIncluding": "3.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C90038CC-CAF1-4B27-9FB6-BB5BB35C1B48",
"versionEndExcluding": "3.18.3",
"versionStartIncluding": "3.18.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21."
}
],
"id": "CVE-2025-14046",
"lastModified": "2025-12-19T19:47:36.913",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "product-cna@github.com",
"type": "Secondary"
}
]
},
"published": "2025-12-11T18:16:19.253",
"references": [
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.21"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.16"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.12"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.9"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.3"
}
],
"sourceIdentifier": "product-cna@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "product-cna@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-11892
Vulnerability from fkie_nvd - Published: 2025-11-10 23:15 - Updated: 2025-12-08 18:18
Severity ?
Summary
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead to privilege escalation and unauthorized workflow triggers. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a user, while operating in sudo mode, to click on a crafted malicious link to perform actions that require elevated privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.1, 3.17.7, 3.16.10, 3.15.14, 3.14.19.
References
| URL | Tags | ||
|---|---|---|---|
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.19 | Release Notes, Vendor Advisory | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.14 | Release Notes, Vendor Advisory | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.10 | Release Notes, Vendor Advisory | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.7 | Release Notes, Vendor Advisory | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.1 | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | 3.18.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BE371B2A-27C6-432C-B393-4449FE4E704D",
"versionEndExcluding": "3.14.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F5D6CEF9-A65E-4011-92EC-30D566B68ACC",
"versionEndExcluding": "3.15.14",
"versionStartIncluding": "3.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0C40998E-2CE4-4E66-96B5-678B0200020B",
"versionEndExcluding": "3.16.10",
"versionStartIncluding": "3.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93616F6E-50F6-4568-BFD5-7D2998072D3A",
"versionEndExcluding": "3.17.7",
"versionStartIncluding": "3.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:3.18.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EFA76CB6-C151-4331-8E0A-8AC656247F8B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead to privilege escalation and unauthorized workflow triggers. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a user, while operating in sudo mode, to click on a crafted malicious link to perform actions that require elevated privileges.\u00a0This vulnerability affected all versions of GitHub Enterprise Server prior to\u00a03.18.1, 3.17.7, 3.16.10, 3.15.14, 3.14.19."
}
],
"id": "CVE-2025-11892",
"lastModified": "2025-12-08T18:18:51.627",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "product-cna@github.com",
"type": "Secondary"
}
]
},
"published": "2025-11-10T23:15:41.377",
"references": [
{
"source": "product-cna@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.19"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.14"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.10"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.7"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.1"
}
],
"sourceIdentifier": "product-cna@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "product-cna@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-11578
Vulnerability from fkie_nvd - Published: 2025-11-10 23:15 - Updated: 2025-12-08 18:22
Severity ?
Summary
A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user’s authorized keys—thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.20, 3.15.15, 3.16.11, 3.17.8, 3.18.2. This vulnerability was reported via the GitHub Bug Bounty program.
References
| URL | Tags | ||
|---|---|---|---|
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.20 | Release Notes, Vendor Advisory | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.15 | Release Notes, Vendor Advisory | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.11 | Release Notes, Vendor Advisory | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.8 | Release Notes, Vendor Advisory | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.2 | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43EB11CA-6023-4B6E-824F-BC1E3B38BBC8",
"versionEndExcluding": "3.14.20",
"versionStartIncluding": "3.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6F3CBE73-32C5-4F1A-A660-3016FA77E633",
"versionEndExcluding": "3.15.15",
"versionStartIncluding": "3.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "754773B0-BDEC-497C-91A7-F542A74C4414",
"versionEndExcluding": "3.16.11",
"versionStartIncluding": "3.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5C3E38F9-7310-4901-90A8-C0BEAFA8A092",
"versionEndExcluding": "3.17.8",
"versionStartIncluding": "3.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9751597D-AD87-4C92-83EC-87D2474410C5",
"versionEndExcluding": "3.18.2",
"versionStartIncluding": "3.18.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and execute a payload that adds their own SSH key to the root user\u2019s authorized keys\u2014thereby granting themselves root SSH access to the server. To exploit this vulnerability, the attacker needed to have enterprise admin privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19, and was fixed in versions 3.14.20, 3.15.15, 3.16.11, 3.17.8, 3.18.2. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"id": "CVE-2025-11578",
"lastModified": "2025-12-08T18:22:46.843",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "product-cna@github.com",
"type": "Secondary"
}
]
},
"published": "2025-11-10T23:15:41.193",
"references": [
{
"source": "product-cna@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.20"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.15"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.11"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.8"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.2"
}
],
"sourceIdentifier": "product-cna@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "product-cna@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-8447
Vulnerability from fkie_nvd - Published: 2025-08-26 02:15 - Updated: 2025-09-03 17:42
Severity ?
Summary
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories. To exploit this vulnerability, an attacker needed to know the name of a private repository along with its branches, tags, or commit SHAs that they could use to trigger compare/diff functionality and retrieve limited code without proper authorization. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18, and was fixed in versions 3.14.17, 3.15.12, 3.16.8 and 3.17.5. This vulnerability was reported via the GitHub Bug Bounty program.
References
| URL | Tags | ||
|---|---|---|---|
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.17 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.12 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.8 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.5 | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92B484DA-6E4D-4EF5-91A8-CAC1FF941FFF",
"versionEndExcluding": "3.14.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D4BC30E7-7E02-49F7-836E-C8821E931CF1",
"versionEndExcluding": "3.15.12",
"versionStartIncluding": "3.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "25F5CF4D-9502-4ADB-981D-388EF4477066",
"versionEndExcluding": "3.16.8",
"versionStartIncluding": "3.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9267B319-C1A9-4E15-861E-DE925AD4C23D",
"versionEndExcluding": "3.17.5",
"versionStartIncluding": "3.17.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories. To exploit this vulnerability, an attacker needed to know the name of a private repository along with its branches, tags, or commit SHAs that they could use to trigger compare/diff functionality and retrieve limited code without proper authorization. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18, and was fixed in versions 3.14.17, 3.15.12, 3.16.8 and 3.17.5. This vulnerability was reported via the GitHub Bug Bounty program."
},
{
"lang": "es",
"value": "Se identific\u00f3 una vulnerabilidad de control de acceso indebido en GitHub Enterprise Server que permit\u00eda a los usuarios con acceso a cualquier repositorio recuperar c\u00f3digo limitado de otro mediante la creaci\u00f3n de una comparaci\u00f3n entre ellos. Para explotar esta vulnerabilidad, un atacante necesitaba conocer el nombre de un repositorio privado, junto con sus ramas, etiquetas o SHA de commit, para activar la funci\u00f3n de comparaci\u00f3n y obtener c\u00f3digo limitado sin la debida autorizaci\u00f3n. Esta vulnerabilidad afect\u00f3 a todas las versiones de GitHub Enterprise Server anteriores a la 3.18 y se corrigi\u00f3 en las versiones 3.14.17, 3.15.12, 3.16.8 y 3.17.5. Se inform\u00f3 de esta vulnerabilidad a trav\u00e9s del programa de recompensas por errores de GitHub."
}
],
"id": "CVE-2025-8447",
"lastModified": "2025-09-03T17:42:50.427",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "product-cna@github.com",
"type": "Secondary"
}
]
},
"published": "2025-08-26T02:15:36.270",
"references": [
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.17"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.12"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.8"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.5"
}
],
"sourceIdentifier": "product-cna@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "product-cna@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-6981
Vulnerability from fkie_nvd - Published: 2025-07-15 21:15 - Updated: 2025-08-27 14:41
Severity ?
Summary
An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3
References
| URL | Tags | ||
|---|---|---|---|
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.15 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.10 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.6 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.3 | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2DB5F812-AC13-42A9-A069-91F1B79C5DF3",
"versionEndExcluding": "3.14.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1BCFE1AA-2E9A-441B-AF29-09CCC145C35E",
"versionEndExcluding": "3.15.10",
"versionStartIncluding": "3.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ABD1C16F-FEA8-4F55-8568-B6B5358E25D7",
"versionEndExcluding": "3.16.6",
"versionStartIncluding": "3.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C1A2E92-5EBA-44C7-B250-EEBBE0BFC1F2",
"versionEndExcluding": "3.17.3",
"versionStartIncluding": "3.17.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15,\u00a03.15.10,\u00a03.16.6 and\u00a03.17.3"
},
{
"lang": "es",
"value": "Una vulnerabilidad de autorizaci\u00f3n incorrecta permit\u00eda el acceso de lectura no autorizado al contenido de los repositorios internos de las cuentas de contratistas cuando la API de Contratistas estaba habilitada. Esta API es una funci\u00f3n que rara vez se habilita en la vista previa privada. Esta vulnerabilidad afect\u00f3 a todas las versiones de GitHub Enterprise Server anteriores a la 3.18 y se corrigi\u00f3 en las versiones 3.14.15, 3.15.10, 3.16.6 y 3.17.3."
}
],
"id": "CVE-2025-6981",
"lastModified": "2025-08-27T14:41:04.110",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "product-cna@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-15T21:15:34.630",
"references": [
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.15"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.10"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.6"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.3"
}
],
"sourceIdentifier": "product-cna@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "product-cna@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-6600
Vulnerability from fkie_nvd - Published: 2025-07-01 19:15 - Updated: 2025-09-05 14:59
Severity ?
Summary
An exposure of sensitive information vulnerability was identified in GitHub Enterprise Server that could allow an attacker to disclose the names of private repositories within an organization. This issue could be exploited by leveraging a user-to-server token with no scopes via the Search API endpoint. Successful exploitation required an organization administrator to install a malicious GitHub App in the organization’s repositories. This vulnerability impacted only GitHub Enterprise Server version 3.17 and was addressed in version 3.17.2. The vulnerability was reported through the GitHub Bug Bounty program.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| github | enterprise_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "36732E86-7360-4F74-A171-BF8FA7777D43",
"versionEndExcluding": "3.17.2",
"versionStartIncluding": "3.17.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An exposure of sensitive information vulnerability was identified in GitHub Enterprise Server that could allow an attacker to disclose the names of private repositories within an organization. This issue could be exploited by leveraging a user-to-server token with no scopes via the Search API endpoint. Successful exploitation required an organization administrator to install a malicious GitHub App in the organization\u2019s repositories. This vulnerability impacted only GitHub Enterprise Server version 3.17 and was addressed in version 3.17.2. The vulnerability was reported through the GitHub Bug Bounty program."
},
{
"lang": "es",
"value": "Se identific\u00f3 una vulnerabilidad de exposici\u00f3n de informaci\u00f3n confidencial en GitHub Enterprise Server que podr\u00eda permitir a un atacante divulgar los nombres de repositorios privados dentro de una organizaci\u00f3n. Este problema podr\u00eda explotarse mediante un token de usuario a servidor sin alcances a trav\u00e9s del endpoint de la API de b\u00fasqueda. Para explotarlo con \u00e9xito, el administrador de la organizaci\u00f3n tuvo que instalar una aplicaci\u00f3n maliciosa de GitHub en los repositorios de la organizaci\u00f3n. Esta vulnerabilidad afect\u00f3 \u00fanicamente a la versi\u00f3n 3.17 de GitHub Enterprise Server y se solucion\u00f3 en la versi\u00f3n 3.17.2. La vulnerabilidad se report\u00f3 a trav\u00e9s del programa de recompensas por errores de GitHub."
}
],
"id": "CVE-2025-6600",
"lastModified": "2025-09-05T14:59:47.533",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "product-cna@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-01T19:15:28.003",
"references": [
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.2"
}
],
"sourceIdentifier": "product-cna@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "product-cna@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-3509
Vulnerability from fkie_nvd - Published: 2025-04-17 23:15 - Updated: 2025-09-05 14:59
Severity ?
Summary
A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute arbitrary code by exploiting the pre-receive hook functionality, potentially leading to privilege escalation and system compromise. The vulnerability involves using dynamically allocated ports that become temporarily available, such as during a hot patch upgrade. This means the vulnerability is only exploitable during specific operational conditions, which limits the attack window. Exploitation required either site administrator permissions to enable and configure pre-receive hooks or a user with permissions to modify repositories containing pre-receive hooks where this functionality was already enabled. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.17.1, 3.16.4, 3.15.8, 3.14.13, 3.13.16. This vulnerability was reported via the GitHub Bug Bounty program.
References
| URL | Tags | ||
|---|---|---|---|
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.16 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.13 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.8 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.4 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.1 | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D3C5F793-EC1B-4ABA-BEAD-10634D6AF3D3",
"versionEndExcluding": "3.13.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5BC40DA-FEB5-4513-B0B2-6175497C9FC5",
"versionEndExcluding": "3.14.13",
"versionStartIncluding": "3.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F5CC5B-DDE2-45A7-9E5B-5B3A962AD9BE",
"versionEndExcluding": "3.15.8",
"versionStartIncluding": "3.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB12D8C7-F06C-47F0-A749-82B412183F7B",
"versionEndExcluding": "3.16.4",
"versionStartIncluding": "3.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "264DD23D-9D82-4CB3-AEAE-196E0F2A614F",
"versionEndExcluding": "3.17.1",
"versionStartIncluding": "3.17.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute arbitrary code by exploiting the pre-receive hook functionality, potentially leading to privilege escalation and system compromise. The vulnerability involves using dynamically allocated ports that become temporarily available, such as during a hot patch upgrade. This means the vulnerability is only exploitable during specific operational conditions, which limits the attack window. Exploitation required either site administrator permissions to enable and configure pre-receive hooks or a user with permissions to modify repositories containing pre-receive hooks where this functionality was already enabled. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.17.1, 3.16.4, 3.15.8, 3.14.13, 3.13.16. This vulnerability was reported via the GitHub Bug Bounty program."
},
{
"lang": "es",
"value": "Se identific\u00f3 una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE) en GitHub Enterprise Server que permit\u00eda a los atacantes ejecutar c\u00f3digo arbitrario explotando la funcionalidad del gancho de prerecepci\u00f3n, lo que podr\u00eda provocar una escalada de privilegios y comprometer el sistema. La vulnerabilidad implica el uso de puertos asignados din\u00e1micamente que se vuelven temporalmente disponibles, como durante una actualizaci\u00f3n de parches. Esto significa que la vulnerabilidad solo es explotable en condiciones operativas espec\u00edficas, lo que limita la ventana de ataque. La explotaci\u00f3n requer\u00eda permisos de administrador del sitio para habilitar y configurar los ganchos de prerecepci\u00f3n o un usuario con permisos para modificar repositorios que contuvieran ganchos de prerecepci\u00f3n donde esta funcionalidad ya estuviera habilitada. Esta vulnerabilidad afect\u00f3 a todas las versiones de GitHub Enterprise Server anteriores a la 3.17 y se corrigi\u00f3 en las versiones 3.16.2, 3.15.6, 3.14.11 y 3.13.14. Esta vulnerabilidad se report\u00f3 a trav\u00e9s del programa de recompensas por errores de GitHub."
}
],
"id": "CVE-2025-3509",
"lastModified": "2025-09-05T14:59:50.080",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"source": "product-cna@github.com",
"type": "Secondary"
}
]
},
"published": "2025-04-17T23:15:42.260",
"references": [
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.16"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.13"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.8"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.4"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.1"
}
],
"sourceIdentifier": "product-cna@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "product-cna@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-3246
Vulnerability from fkie_nvd - Published: 2025-04-17 23:15 - Updated: 2025-09-05 15:00
Severity ?
Summary
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting in GitHub Markdown that used `$$..$$` math blocks. Exploitation required access to the target GitHub Enterprise Server instance and privileged user interaction with the malicious elements. This vulnerability affected version 3.16.1 of GitHub Enterprise Server and was fixed in version 3.16.2. This vulnerability was reported via the GitHub Bug Bounty program.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| github | enterprise_server | 3.16.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:github:enterprise_server:3.16.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C916F330-E6B5-478B-9525-F8AC38472743",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting in GitHub Markdown that used `$$..$$` math blocks. Exploitation required access to the target GitHub Enterprise Server instance and privileged user interaction with the malicious elements. This vulnerability affected version 3.16.1 of GitHub Enterprise Server and was fixed in version 3.16.2. This vulnerability was reported via the GitHub Bug Bounty program."
},
{
"lang": "es",
"value": "Se identific\u00f3 una vulnerabilidad de neutralizaci\u00f3n de entrada incorrecta en GitHub Enterprise Server que permit\u00eda cross-site scripting en GitHub Markdown que utilizaban bloques matem\u00e1ticos `$$..$$`. Su explotaci\u00f3n requer\u00eda acceso a la instancia de GitHub Enterprise Server objetivo e interacci\u00f3n de usuario privilegiado con los elementos maliciosos. Esta vulnerabilidad afect\u00f3 a la versi\u00f3n 3.16.1 de GitHub Enterprise Server y se corrigi\u00f3 en la versi\u00f3n 3.16.2. Esta vulnerabilidad se report\u00f3 a trav\u00e9s del programa de recompensas por errores de GitHub."
}
],
"id": "CVE-2025-3246",
"lastModified": "2025-09-05T15:00:02.387",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "product-cna@github.com",
"type": "Secondary"
}
]
},
"published": "2025-04-17T23:15:42.123",
"references": [
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.2"
}
],
"sourceIdentifier": "product-cna@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "product-cna@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-3124
Vulnerability from fkie_nvd - Published: 2025-04-17 23:15 - Updated: 2025-09-05 15:00
Severity ?
Summary
A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed a user to see the names of private repositories that they wouldn't otherwise have access to in the Security Overview in GitHub Advanced Security. The Security Overview was required to be filtered only using the `archived:` filter and all other access controls were functioning normally. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.17 and was fixed in versions 3.13.14, 3.14.11, 3.15.6, and 3.16.2.
References
| URL | Tags | ||
|---|---|---|---|
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.14 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.11 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.6 | Release Notes | |
| product-cna@github.com | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.2 | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * | |
| github | enterprise_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2E45A981-5733-4DCB-B6C3-97BE212BBD06",
"versionEndExcluding": "3.13.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C8B89DB-16A4-4DD2-9C89-62533F2F55F8",
"versionEndExcluding": "3.14.11",
"versionStartIncluding": "3.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "27ECD3E6-9B4B-4E53-8CF2-FCF04FC7E0C9",
"versionEndExcluding": "3.15.6",
"versionStartIncluding": "3.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B5D5F10-62A7-4636-915F-82A5F19539E5",
"versionEndExcluding": "3.16.2",
"versionStartIncluding": "3.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed a user to see the names of private repositories that they wouldn\u0027t otherwise have access to in the Security Overview in GitHub Advanced Security. The Security Overview was required to be filtered only using the `archived:` filter and all other access controls were functioning normally. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.17 and was fixed in versions 3.13.14, 3.14.11, 3.15.6, and 3.16.2."
},
{
"lang": "es",
"value": "Se identific\u00f3 una vulnerabilidad de autorizaci\u00f3n faltante en GitHub Enterprise Server que permit\u00eda a un usuario ver los nombres de repositorios privados a los que, de otro modo, no tendr\u00eda acceso en la descripci\u00f3n general de seguridad de GitHub Advanced Security. Esta descripci\u00f3n general de seguridad deb\u00eda filtrarse \u00fanicamente con el filtro `archived:` y todos los dem\u00e1s controles de acceso funcionaban con normalidad. Esta vulnerabilidad afect\u00f3 a todas las versiones de GitHub Enterprise Server anteriores a la 3.17 y se corrigi\u00f3 en las versiones 3.13.14, 3.14.11, 3.15.6 y 3.16.2."
}
],
"id": "CVE-2025-3124",
"lastModified": "2025-09-05T15:00:04.687",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "product-cna@github.com",
"type": "Secondary"
}
]
},
"published": "2025-04-17T23:15:41.593",
"references": [
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.14"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.11"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.6"
},
{
"source": "product-cna@github.com",
"tags": [
"Release Notes"
],
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.2"
}
],
"sourceIdentifier": "product-cna@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "product-cna@github.com",
"type": "Secondary"
}
]
}