Search

Find a vulnerability

Search criteria

    154 vulnerabilities found for Enterprise Server by GitHub

    CVE-2026-10585 (GCVE-0-2026-10585)

    Vulnerability from nvd – Published: 2026-06-30 21:39 – Updated: 2026-07-01 15:36
    VLAI
    Title
    Stored cross-site scripting vulnerability in GitHub Enterprise Server allowed arbitrary JavaScript execution via crafted Discussion titles in the Q&A category
    Summary
    A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user's browser by injecting a crafted payload into the title of a Discussion in the Q&A category. The AnsweredQuestionStructuredDataComponent did not escape user-controlled Discussion titles before embedding them in a <script type="application/ld+json"> block, allowing the title to break out of the script context. The injection was escalated to a full cross-site scripting attack on GitHub Enterprise Server by leveraging JSONP callback support in the REST API to bypass the Content Security Policy. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.17.0 , ≤ 3.17.16 (semver)
    Affected: 3.18.0 , ≤ 3.18.10 (semver)
    Affected: 3.19.0 , ≤ 3.19.7 (semver)
    Affected: 3.20.0 , ≤ 3.20.3 (semver)
    Affected: 3.16.0 , ≤ 3.16.19 (semver)
    Create a notification for this product.
    Credits
    hamayanhamayan Seokchan Yoon (hxxps://ch4n3.kr)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10585",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:36:51.127934Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:36:59.198Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.17.17",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.16",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.11",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.10",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.7",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.3",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.16.20",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.19",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "hamayanhamayan"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Seokchan Yoon (hxxps://ch4n3.kr)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user\u0027s browser by injecting a crafted payload into the title of a Discussion in the Q\u0026amp;A category. The \u003ccode\u003eAnsweredQuestionStructuredDataComponent\u003c/code\u003e did not escape user-controlled Discussion titles before embedding them in a \u003ccode\u003e\u0026lt;script type=\"application/ld+json\"\u0026gt;\u003c/code\u003e block, allowing the title to break out of the script context. The injection was escalated to a full cross-site scripting attack on GitHub Enterprise Server by leveraging JSONP callback support in the REST API to bypass the Content Security Policy. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program."
                }
              ],
              "value": "A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user\u0027s browser by injecting a crafted payload into the title of a Discussion in the Q\u0026A category. The AnsweredQuestionStructuredDataComponent did not escape user-controlled Discussion titles before embedding them in a \u003cscript type=\"application/ld+json\"\u003e block, allowing the title to break out of the script context. The injection was escalated to a full cross-site scripting attack on GitHub Enterprise Server by leveraging JSONP callback support in the REST API to bypass the Content Security Policy. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T13:04:35.540Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.17"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.11"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.8"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.4"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.20"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Stored cross-site scripting vulnerability in GitHub Enterprise Server allowed arbitrary JavaScript execution via crafted Discussion titles in the Q\u0026A category",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-10585",
        "datePublished": "2026-06-30T21:39:02.311Z",
        "dateReserved": "2026-06-01T19:08:05.407Z",
        "dateUpdated": "2026-07-01T15:36:59.198Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9132 (GCVE-0-2026-9132)

    Vulnerability from nvd – Published: 2026-06-30 20:23 – Updated: 2026-07-01 15:37
    VLAI
    Title
    Missing authorization vulnerability in GitHub Enterprise Server allowed disclosure of private repository contents via the Copilot pull request diff summary endpoint
    Summary
    A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The Copilot pull request description diff summary endpoint accepted a cross-repository comparison range and rendered the resulting diff without verifying that the requesting user was authorized to view the target repository. Exploitation required an authenticated account on the instance with read access to at least one repository to use as the comparison base. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.17.0 , ≤ 3.17.16 (semver)
    Affected: 3.18.0 , ≤ 3.18.10 (semver)
    Affected: 3.19.0 , ≤ 3.19.7 (semver)
    Affected: 3.20.0 , ≤ 3.20.3 (semver)
    Create a notification for this product.
    Credits
    Seokchan Yoon
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9132",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:37:41.106015Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:37:50.129Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.17.17",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.16",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.11",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.10",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.7",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.3",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Seokchan Yoon"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The\u003cbr\u003e   Copilot pull request description diff summary endpoint accepted a cross-repository comparison range and rendered the resulting diff without verifying that the requesting user was authorized to view\u003cbr\u003e   the target repository. Exploitation required an authenticated account on the instance with read access to at least one repository to use as the comparison base. This vulnerability affected all\u003cbr\u003e   versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4. This vulnerability was reported via the GitHub Bug Bounty program."
                }
              ],
              "value": "A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The\n   Copilot pull request description diff summary endpoint accepted a cross-repository comparison range and rendered the resulting diff without verifying that the requesting user was authorized to view\n   the target repository. Exploitation required an authenticated account on the instance with read access to at least one repository to use as the comparison base. This vulnerability affected all\n   versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T20:23:37.445Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.17-features"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.11-features"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.8-features"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.4-features"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Missing authorization vulnerability in GitHub Enterprise Server allowed disclosure of private repository contents via the Copilot pull request diff summary endpoint",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-9132",
        "datePublished": "2026-06-30T20:23:37.445Z",
        "dateReserved": "2026-05-20T18:18:07.930Z",
        "dateUpdated": "2026-07-01T15:37:50.129Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9106 (GCVE-0-2026-9106)

    Vulnerability from nvd – Published: 2026-06-30 20:21 – Updated: 2026-07-01 15:37
    VLAI
    Title
    UI misrepresentation vulnerability in GitHub Enterprise Server allowed unauthorized organization runner management via undisclosed OAuth scope on consent screen
    Summary
    A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-451 - User Interface (UI) Misrepresentation of Critical Information
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.17.0 , ≤ 3.17.16 (semver)
    Affected: 3.18.0 , ≤ 3.18.10 (semver)
    Affected: 3.19.0 , ≤ 3.19.7 (semver)
    Affected: 3.20.0 , ≤ 3.20.3 (semver)
    Affected: 3.21.0 , ≤ 3.21.1 (semver)
    Affected: 3.16.0 , ≤ 3.16.19 (semver)
    Create a notification for this product.
    Credits
    VAIBHAV SINGH (@vaib25vicky)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9106",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:37:19.373936Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:37:28.521Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.17.17",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.16",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.11",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.10",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.7",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.3",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.21.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.21.1",
                  "status": "affected",
                  "version": "3.21.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.16.20",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.19",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "VAIBHAV SINGH (@vaib25vicky)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization\u0027s runner management. An attacker could exploit this by creating an OAuth application requesting the \u003ccode\u003emanage_runners:org\u003c/code\u003e scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was  fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization\u0027s runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was  fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-173",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-173 Action Spoofing"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-451",
                  "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T13:03:08.700Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.17"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.11"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.8"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.4"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.2"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.20"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "UI misrepresentation vulnerability in GitHub Enterprise Server allowed unauthorized organization runner management via undisclosed OAuth scope on consent screen",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-9106",
        "datePublished": "2026-06-30T20:21:12.484Z",
        "dateReserved": "2026-05-20T17:12:51.109Z",
        "dateUpdated": "2026-07-01T15:37:28.521Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9312 (GCVE-0-2026-9312)

    Vulnerability from nvd – Published: 2026-05-27 00:02 – Updated: 2026-06-30 20:53
    VLAI
    Title
    Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint
    Summary
    A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.2. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.16.0 , ≤ 3.16.19 (semver)
    Affected: 3.17.0 , ≤ 3.17.16 (semver)
    Affected: 3.18.0 , ≤ 3.18.10 (semver)
    Affected: 3.19.0 , ≤ 3.19.7 (semver)
    Affected: 3.20.0 , ≤ 3.20.3 (semver)
    Affected: 3.21.0 , < 3.21.1 (semver)
    Create a notification for this product.
    Credits
    ahacker1
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9312",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T03:55:48.115Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.16.20",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.19",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.17",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.16",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.11",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.10",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.7",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.3",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.21.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.21.1",
                  "status": "affected",
                  "version": "3.21.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ahacker1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.2. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e"
                }
              ],
              "value": "A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.2. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T20:53:28.093Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.17"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.11"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.8"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.4"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.2"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-9312",
        "datePublished": "2026-05-27T00:02:32.159Z",
        "dateReserved": "2026-05-22T18:42:28.097Z",
        "dateUpdated": "2026-06-30T20:53:28.093Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8606 (GCVE-0-2026-8606)

    Vulnerability from nvd – Published: 2026-05-26 23:59 – Updated: 2026-05-27 13:50
    VLAI
    Title
    Server-Side Request Forgery in GitHub Enterprise Server via Advisory Package URL Endpoint
    Summary
    A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and measuring response timing, an attacker could infer the values of sensitive environment variables, including signing secrets and private keys. Exploitation required GitHub Packages to be enabled; on instances not running in private mode the vulnerability was exploitable without authentication, otherwise any authenticated user could exploit it. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21.1 and was fixed in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side request forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.21.0 , < 3.21.1 (semver)
    Affected: 3.20.0 , ≤ 3.20.2 (semver)
    Affected: 3.19.0 , ≤ 3.19.6 (semver)
    Affected: 3.18.0 , ≤ 3.18.9 (semver)
    Affected: 3.17.0 , ≤ 3.17.15 (semver)
    Affected: 3.16.0 , ≤ 3.16.18 (semver)
    Create a notification for this product.
    Credits
    R31n
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8606",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T13:50:00.819968Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T13:50:10.475Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.21.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.21.1",
                  "status": "affected",
                  "version": "3.21.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.2",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.7",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.6",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.10",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.9",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.16",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.15",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.16.19",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.18",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "R31n"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and measuring response timing, an attacker could infer the values of sensitive environment variables, including signing secrets and private keys. Exploitation required GitHub Packages to be enabled; on instances not running in private mode the vulnerability was exploitable without authentication, otherwise any authenticated user could exploit it. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21.1 and was fixed in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19. This vulnerability was reported via the GitHub Bug Bounty program."
                }
              ],
              "value": "A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and measuring response timing, an attacker could infer the values of sensitive environment variables, including signing secrets and private keys. Exploitation required GitHub Packages to be enabled; on instances not running in private mode the vulnerability was exploitable without authentication, otherwise any authenticated user could exploit it. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21.1 and was fixed in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            },
            {
              "capecId": "CAPEC-492",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-492 Regular Expression Exponential Blowup"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side request forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-26T23:59:41.742Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.1"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.3"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.7"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.10"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.16"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.19"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Server-Side Request Forgery in GitHub Enterprise Server via Advisory Package URL Endpoint",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-8606",
        "datePublished": "2026-05-26T23:59:41.742Z",
        "dateReserved": "2026-05-14T15:28:24.899Z",
        "dateUpdated": "2026-05-27T13:50:10.475Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8106 (GCVE-0-2026-8106)

    Vulnerability from nvd – Published: 2026-05-07 21:18 – Updated: 2026-05-08 13:07
    VLAI
    Title
    Reflected HTML injection vulnerability in GitHub Enterprise Server Management Console login page allowed credential theft
    Summary
    A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter on the /setup/unlock endpoint was reflected into an HTML attribute without proper sanitization, enabling an attacker to inject a form element that could capture administrator credentials. Exploitation required an administrator to click a crafted link and enter their credentials. This vulnerability affected GitHub Enterprise Server versions 3.19.1 through 3.19.5 and 3.20.0 through 3.20.1, and was fixed in versions 3.19.6 and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.19.1 , ≤ 3.19.5 (semver)
    Affected: 3.20.0 , ≤ 3.20.1 (semver)
    Unaffected: 3.19.0 (semver)
    Unaffected: 3.21.0 (semver)
    Create a notification for this product.
    Credits
    maksyche
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8106",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T13:07:24.192705Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T13:07:33.764Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.19.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.5",
                  "status": "affected",
                  "version": "3.19.1",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.1",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "3.21.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "maksyche"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter on the /setup/unlock endpoint was reflected into an HTML attribute without proper sanitization, enabling an attacker to inject a form element that could capture administrator credentials. Exploitation required an administrator to click a crafted link and enter their credentials. This vulnerability affected GitHub Enterprise Server versions 3.19.1 through 3.19.5 and 3.20.0 through 3.20.1, and was fixed in versions 3.19.6 and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter on the /setup/unlock endpoint was reflected into an HTML attribute without proper sanitization, enabling an attacker to inject a form element that could capture administrator credentials. Exploitation required an administrator to click a crafted link and enter their credentials. This vulnerability affected GitHub Enterprise Server versions 3.19.1 through 3.19.5 and 3.20.0 through 3.20.1, and was fixed in versions 3.19.6 and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-243",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-243 XSS Targeting HTML Attributes"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T21:18:59.259Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Reflected HTML injection vulnerability in GitHub Enterprise Server Management Console login page allowed credential theft",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-8106",
        "datePublished": "2026-05-07T21:18:59.259Z",
        "dateReserved": "2026-05-07T14:46:18.902Z",
        "dateUpdated": "2026-05-08T13:07:33.764Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8034 (GCVE-0-2026-8034)

    Vulnerability from nvd – Published: 2026-05-07 21:18 – Updated: 2026-05-08 13:03
    VLAI
    Title
    Server-side request forgery vulnerability in GitHub Enterprise Server notebook viewer via URL parser confusion
    Summary
    A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side request forgery (SSRF)
    • CWE-436 - Interpretation Conflict
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.16.0 , ≤ 3.16.17 (semver)
    Affected: 3.17.0 , ≤ 3.17.14 (semver)
    Affected: 3.18.0 , ≤ 3.18.8 (semver)
    Affected: 3.19.0 , ≤ 3.19.5 (semver)
    Affected: 3.20.0 , ≤ 3.20.1 (semver)
    Unaffected: 3.21.0 (semver)
    Create a notification for this product.
    Credits
    R31n
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8034",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T13:02:57.242500Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T13:03:12.627Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.16.18",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.17",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.15",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.14",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.9",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.8",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.5",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.1",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "3.21.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "R31n"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.9,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side request forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-436",
                  "description": "CWE-436 Interpretation Conflict",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T21:18:49.812Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.18"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.15"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.9"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Server-side request forgery vulnerability in GitHub Enterprise Server notebook viewer via URL parser confusion",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-8034",
        "datePublished": "2026-05-07T21:18:49.812Z",
        "dateReserved": "2026-05-06T13:06:48.690Z",
        "dateUpdated": "2026-05-08T13:03:12.627Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7541 (GCVE-0-2026-7541)

    Vulnerability from nvd – Published: 2026-05-07 21:18 – Updated: 2026-05-08 13:44
    VLAI
    Title
    Denial of service vulnerability in GitHub Enterprise Server allowed service disruption via unauthenticated API endpoint
    Summary
    A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of resources without limits or throttling
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.16.0 , ≤ 3.16.17 (semver)
    Affected: 3.17.0 , ≤ 3.17.14 (semver)
    Affected: 3.18.0 , ≤ 3.18.8 (semver)
    Affected: 3.19.0 , ≤ 3.19.5 (semver)
    Affected: 3.20.0 , ≤ 3.20.1 (semver)
    Create a notification for this product.
    Credits
    Nguyen Nhat Anh (GitHub: anh2025)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7541",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T13:44:37.884506Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T13:44:52.426Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.16.18",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.17",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.15",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.14",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.9",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.8",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.5",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.1",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nguyen Nhat Anh (GitHub: anh2025)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program."
                }
              ],
              "value": "A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-229",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-229 Serialized Data Parameter Blowup"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of resources without limits or throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T21:18:35.655Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.18"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.15"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.9"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Denial of service vulnerability in GitHub Enterprise Server allowed service disruption via unauthenticated API endpoint",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-7541",
        "datePublished": "2026-05-07T21:18:35.655Z",
        "dateReserved": "2026-04-30T18:42:48.142Z",
        "dateUpdated": "2026-05-08T13:44:52.426Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6736 (GCVE-0-2026-6736)

    Vulnerability from nvd – Published: 2026-05-07 21:14 – Updated: 2026-05-08 13:57
    VLAI
    Title
    Authentication bypass vulnerability in GitHub Enterprise Server allowed creation of local user accounts bypassing the configured external identity provider
    Summary
    An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication was enabled, the signup endpoint did not properly enforce the authentication restriction, allowing account creation and session establishment without identity provider validation. The created account was limited to the default base permissions configured on the instance. Exploitation required network access to a GHES instance configured with an external authentication provider. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.16.0 , ≤ 3.16.17 (semver)
    Affected: 3.17.0 , ≤ 3.17.14 (semver)
    Affected: 3.18.0 , ≤ 3.18.8 (semver)
    Affected: 3.19.0 , ≤ 3.19.5 (semver)
    Affected: 3.20.0 , ≤ 3.20.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6736",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T13:57:09.447908Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T13:57:18.111Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.16.18",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.17",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.15",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.14",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.9",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.8",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.5",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.1",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication was enabled, the signup endpoint did not properly enforce the authentication restriction, allowing account creation and session establishment without identity provider validation. The created account was limited to the default base permissions configured on the instance. Exploitation required network access to a GHES instance configured with an external authentication provider. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication was enabled, the signup endpoint did not properly enforce the authentication restriction, allowing account creation and session establishment without identity provider validation. The created account was limited to the default base permissions configured on the instance. Exploitation required network access to a GHES instance configured with an external authentication provider. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T21:27:45.553Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.18"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.15"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.9"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Authentication bypass vulnerability in GitHub Enterprise Server allowed creation of local user accounts bypassing the configured external identity provider",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-6736",
        "datePublished": "2026-05-07T21:14:33.490Z",
        "dateReserved": "2026-04-21T02:53:28.704Z",
        "dateUpdated": "2026-05-08T13:57:18.111Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5921 (GCVE-0-2026-5921)

    Vulnerability from nvd – Published: 2026-04-21 22:11 – Updated: 2026-04-22 13:18
    VLAI
    Title
    Server-Side Request Forgery in GitHub Enterprise Server allowed extraction of sensitive environment variables via timing side-channel attack
    Summary
    A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance's open redirect endpoint through an external redirect to reach internal services. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.14.0 , < 3.14.26 (semver)
    Affected: 3.15.0 , < 3.15.21 (semver)
    Affected: 3.16.0 , < 3.16.17 (semver)
    Affected: 3.17.0 , < 3.17.14 (semver)
    Affected: 3.18.0 , < 3.18.8 (semver)
    Affected: 3.19.0 , < 3.19.5 (semver)
    Affected: 3.20.0 , < 3.20.1 (semver)
    Create a notification for this product.
    Credits
    R31n
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5921",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T13:17:53.690876Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T13:18:03.644Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.14.26",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.14.26",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.15.21",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.15.21",
                  "status": "affected",
                  "version": "3.15.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.16.17",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.16.17",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.17.14",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.18.8",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.19.5",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.20.1",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "R31n"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance\u0027s open redirect endpoint through an external redirect to reach internal services.\u0026nbsp;This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance\u0027s open redirect endpoint through an external redirect to reach internal services.\u00a0This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-462",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-462 Cross-Domain Search Timing"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.9,
                "baseSeverity": "HIGH",
                "exploitMaturity": "PROOF_OF_CONCEPT",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:P",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T22:11:28.950Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Server-Side Request Forgery in GitHub Enterprise Server allowed extraction of sensitive environment variables via timing side-channel attack",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-5921",
        "datePublished": "2026-04-21T22:11:02.077Z",
        "dateReserved": "2026-04-08T20:59:17.367Z",
        "dateUpdated": "2026-04-22T13:18:03.644Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5845 (GCVE-0-2026-5845)

    Vulnerability from nvd – Published: 2026-04-21 22:42 – Updated: 2026-04-22 18:04
    VLAI
    Title
    Improper authorization fallback allows scoped user-to-server token installation escape in GitHub Enterprise Server
    Summary
    An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization bypass through User-Controlled key
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.20.0 , < 3.20.1 (semver)
    Affected: 3.19.0 , ≤ 3.19.4 (semver)
    Affected: 3.18.0 , ≤ 3.18.7 (semver)
    Affected: 3.17.0 , ≤ 3.17.13 (semver)
    Affected: 3.16.0 , ≤ 3.16.16 (semver)
    Affected: 3.15.0 , ≤ 3.15.20 (semver)
    Affected: 3.14.0 , ≤ 3.14.25 (semver)
    Create a notification for this product.
    Credits
    ahacker1
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5845",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T18:03:53.486677Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T18:04:05.173Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.20.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.20.1",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.4",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.7",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.13",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.16.17",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.16",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.15.21",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.15.20",
                  "status": "affected",
                  "version": "3.15.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.14.26",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.14.25",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ahacker1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An improper authorization vulnerability in scoped user-to-server (\u003ccode\u003eghu_\u003c/code\u003e) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program."
                }
              ],
              "value": "An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            },
            {
              "capecId": "CAPEC-26",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-26 Leveraging Race Conditions"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization bypass through User-Controlled key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T22:42:13.198Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper authorization fallback allows scoped user-to-server token installation escape in GitHub Enterprise Server",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-5845",
        "datePublished": "2026-04-21T22:42:13.198Z",
        "dateReserved": "2026-04-08T18:28:58.486Z",
        "dateUpdated": "2026-04-22T18:04:05.173Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5512 (GCVE-0-2026-5512)

    Vulnerability from nvd – Published: 2026-04-21 22:12 – Updated: 2026-04-22 17:39
    VLAI
    Title
    Improper authorization vulnerability in GitHub Enterprise Server allowed disclosure of private repository names via mobile upload policy API
    Summary
    An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric ID. The mobile upload policy API endpoint did not perform an early authorization check, and validation error messages included the full repository name for repositories the caller did not have access to. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of sensitive information into sent data
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.14.0 , ≤ 3.14.25 (semver)
    Affected: 3.15.0 , ≤ 3.15.20 (semver)
    Affected: 3.16.0 , ≤ 3.16.16 (semver)
    Affected: 3.17.0 , ≤ 3.17.13 (semver)
    Affected: 3.18.0 , ≤ 3.18.7 (semver)
    Affected: 3.19.0 , ≤ 3.19.4 (semver)
    Affected: 3.20.0 , < 3.20.1 (semver)
    Create a notification for this product.
    Credits
    ahacker1
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5512",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T17:38:49.635439Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T17:39:01.520Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.14.26",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.14.25",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.15.21",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.15.20",
                  "status": "affected",
                  "version": "3.15.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.16.17",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.16",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.13",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.7",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.4",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.20.1",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ahacker1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric ID. The mobile upload policy API endpoint did not perform an early authorization check, and validation error messages included the full repository name for repositories the caller did not have access to. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e"
                }
              ],
              "value": "An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric ID. The mobile upload policy API endpoint did not perform an early authorization check, and validation error messages included the full repository name for repositories the caller did not have access to. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-113",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-113 Interface Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201 Insertion of sensitive information into sent data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T22:14:01.033Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Improper authorization vulnerability in GitHub Enterprise Server allowed disclosure of private repository names via mobile upload policy API",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-5512",
        "datePublished": "2026-04-21T22:12:58.344Z",
        "dateReserved": "2026-04-03T18:21:52.907Z",
        "dateUpdated": "2026-04-22T17:39:01.520Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4821 (GCVE-0-2026-4821)

    Vulnerability from nvd – Published: 2026-04-21 22:12 – Updated: 2026-06-10 04:53
    VLAI

    This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it was published in error.

    Show details on NVD website

    {
      "containers": {
        "cna": {
          "providerMetadata": {
            "dateUpdated": "2026-06-10T04:53:20.658Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "rejectedReasons": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it was published in error."
                }
              ],
              "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it was published in error."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-4821",
        "datePublished": "2026-04-21T22:12:26.772Z",
        "dateRejected": "2026-06-10T04:53:20.658Z",
        "dateReserved": "2026-03-25T13:55:26.048Z",
        "dateUpdated": "2026-06-10T04:53:20.658Z",
        "state": "REJECTED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4296 (GCVE-0-2026-4296)

    Vulnerability from nvd – Published: 2026-04-21 22:12 – Updated: 2026-04-22 13:16
    VLAI
    Title
    Incorrect Regular Expression vulnerability in GitHub Enterprise Server allowed unauthorized access to user accounts via OAuth callback URL validation bypass
    Summary
    An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious authorization link that, when clicked by a victim, would redirect the OAuth authorization code to an attacker-controlled domain. This could allow the attacker to gain unauthorized access to the victim's account with the scopes granted to the OAuth application. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-185 - Incorrect Regular Expression
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.14.0 , ≤ 3.14.25 (semver)
    Affected: 3.15.0 , ≤ 3.15.20 (semver)
    Affected: 3.16.0 , ≤ 3.16.16 (semver)
    Affected: 3.17.0 , ≤ 3.17.13 (semver)
    Affected: 3.18.0 , ≤ 3.18.7 (semver)
    Affected: 3.19.0 , ≤ 3.19.4 (semver)
    Affected: 3.20.0 , < 3.20.1 (semver)
    Create a notification for this product.
    Credits
    ahacker1 hacktron
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4296",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T13:16:42.627751Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T13:16:53.004Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.14.26",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.14.25",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.15.21",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.15.20",
                  "status": "affected",
                  "version": "3.15.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.16.17",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.16",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.13",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.7",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.4",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.20.1",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ahacker1"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "hacktron"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application\u0027s registered callback URL could craft a malicious authorization link that, when clicked by a victim, would redirect the OAuth authorization code to an attacker-controlled domain. This could allow the attacker to gain unauthorized access to the victim\u0027s account with the scopes granted to the OAuth application. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e"
                }
              ],
              "value": "An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application\u0027s registered callback URL could craft a malicious authorization link that, when clicked by a victim, would redirect the OAuth authorization code to an attacker-controlled domain. This could allow the attacker to gain unauthorized access to the victim\u0027s account with the scopes granted to the OAuth application. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-185",
                  "description": "CWE-185 Incorrect Regular Expression",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T22:12:45.356Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Incorrect Regular Expression vulnerability in GitHub Enterprise Server allowed unauthorized access to user accounts via OAuth callback URL validation bypass",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-4296",
        "datePublished": "2026-04-21T22:12:45.356Z",
        "dateReserved": "2026-03-16T17:48:03.040Z",
        "dateUpdated": "2026-04-22T13:16:53.004Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3307 (GCVE-0-2026-3307)

    Vulnerability from nvd – Published: 2026-04-21 22:23 – Updated: 2026-04-22 18:00
    VLAI
    Title
    Authorization bypass in GitHub Enterprise Server secret scanning push protection allows cross-repository modification of delegated bypass reviewers
    Summary
    An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body. Authorization was verified against the repository in the URL, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers; it does not allow adding arbitrary external users. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.14.0 , ≤ 3.14.24 (semver)
    Affected: 3.15.0 , ≤ 3.15.19 (semver)
    Affected: 3.16.0 , ≤ 3.16.15 (semver)
    Affected: 3.17.0 , ≤ 3.17.12 (semver)
    Affected: 3.18.0 , ≤ 3.18.6 (semver)
    Affected: 3.19.0 , ≤ 3.19.3 (semver)
    Affected: 3.20 , ≤ 3.20.0 (semver)
    Create a notification for this product.
    Credits
    ahacker1
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3307",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T17:59:58.981543Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T18:00:21.619Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.14.25",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.14.24",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.15.20",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.15.19",
                  "status": "affected",
                  "version": "3.15.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.16.16",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.15",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.13",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.12",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.7",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.6",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.3",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.0",
                  "status": "affected",
                  "version": "3.20",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ahacker1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body. Authorization was verified against the repository in the URL, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers; it does not allow adding arbitrary external users. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e"
                }
              ],
              "value": "An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body. Authorization was verified against the repository in the URL, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers; it does not allow adding arbitrary external users. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-58",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-58 Restful Privilege Elevation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T22:23:25.045Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.25"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.20"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.16"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.13"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.7"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.4"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Authorization bypass in GitHub Enterprise Server secret scanning push protection allows cross-repository modification of delegated bypass reviewers",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-3307",
        "datePublished": "2026-04-21T22:23:25.045Z",
        "dateReserved": "2026-02-26T21:00:43.352Z",
        "dateUpdated": "2026-04-22T18:00:21.619Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10585 (GCVE-0-2026-10585)

    Vulnerability from cvelistv5 – Published: 2026-06-30 21:39 – Updated: 2026-07-01 15:36
    VLAI
    Title
    Stored cross-site scripting vulnerability in GitHub Enterprise Server allowed arbitrary JavaScript execution via crafted Discussion titles in the Q&A category
    Summary
    A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user's browser by injecting a crafted payload into the title of a Discussion in the Q&A category. The AnsweredQuestionStructuredDataComponent did not escape user-controlled Discussion titles before embedding them in a <script type="application/ld+json"> block, allowing the title to break out of the script context. The injection was escalated to a full cross-site scripting attack on GitHub Enterprise Server by leveraging JSONP callback support in the REST API to bypass the Content Security Policy. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.17.0 , ≤ 3.17.16 (semver)
    Affected: 3.18.0 , ≤ 3.18.10 (semver)
    Affected: 3.19.0 , ≤ 3.19.7 (semver)
    Affected: 3.20.0 , ≤ 3.20.3 (semver)
    Affected: 3.16.0 , ≤ 3.16.19 (semver)
    Create a notification for this product.
    Credits
    hamayanhamayan Seokchan Yoon (hxxps://ch4n3.kr)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10585",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:36:51.127934Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:36:59.198Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.17.17",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.16",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.11",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.10",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.7",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.3",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.16.20",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.19",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "hamayanhamayan"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Seokchan Yoon (hxxps://ch4n3.kr)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user\u0027s browser by injecting a crafted payload into the title of a Discussion in the Q\u0026amp;A category. The \u003ccode\u003eAnsweredQuestionStructuredDataComponent\u003c/code\u003e did not escape user-controlled Discussion titles before embedding them in a \u003ccode\u003e\u0026lt;script type=\"application/ld+json\"\u0026gt;\u003c/code\u003e block, allowing the title to break out of the script context. The injection was escalated to a full cross-site scripting attack on GitHub Enterprise Server by leveraging JSONP callback support in the REST API to bypass the Content Security Policy. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program."
                }
              ],
              "value": "A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user\u0027s browser by injecting a crafted payload into the title of a Discussion in the Q\u0026A category. The AnsweredQuestionStructuredDataComponent did not escape user-controlled Discussion titles before embedding them in a \u003cscript type=\"application/ld+json\"\u003e block, allowing the title to break out of the script context. The injection was escalated to a full cross-site scripting attack on GitHub Enterprise Server by leveraging JSONP callback support in the REST API to bypass the Content Security Policy. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T13:04:35.540Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.17"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.11"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.8"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.4"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.20"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Stored cross-site scripting vulnerability in GitHub Enterprise Server allowed arbitrary JavaScript execution via crafted Discussion titles in the Q\u0026A category",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-10585",
        "datePublished": "2026-06-30T21:39:02.311Z",
        "dateReserved": "2026-06-01T19:08:05.407Z",
        "dateUpdated": "2026-07-01T15:36:59.198Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9132 (GCVE-0-2026-9132)

    Vulnerability from cvelistv5 – Published: 2026-06-30 20:23 – Updated: 2026-07-01 15:37
    VLAI
    Title
    Missing authorization vulnerability in GitHub Enterprise Server allowed disclosure of private repository contents via the Copilot pull request diff summary endpoint
    Summary
    A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The Copilot pull request description diff summary endpoint accepted a cross-repository comparison range and rendered the resulting diff without verifying that the requesting user was authorized to view the target repository. Exploitation required an authenticated account on the instance with read access to at least one repository to use as the comparison base. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.17.0 , ≤ 3.17.16 (semver)
    Affected: 3.18.0 , ≤ 3.18.10 (semver)
    Affected: 3.19.0 , ≤ 3.19.7 (semver)
    Affected: 3.20.0 , ≤ 3.20.3 (semver)
    Create a notification for this product.
    Credits
    Seokchan Yoon
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9132",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:37:41.106015Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:37:50.129Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.17.17",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.16",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.11",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.10",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.7",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.3",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Seokchan Yoon"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The\u003cbr\u003e   Copilot pull request description diff summary endpoint accepted a cross-repository comparison range and rendered the resulting diff without verifying that the requesting user was authorized to view\u003cbr\u003e   the target repository. Exploitation required an authenticated account on the instance with read access to at least one repository to use as the comparison base. This vulnerability affected all\u003cbr\u003e   versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4. This vulnerability was reported via the GitHub Bug Bounty program."
                }
              ],
              "value": "A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The\n   Copilot pull request description diff summary endpoint accepted a cross-repository comparison range and rendered the resulting diff without verifying that the requesting user was authorized to view\n   the target repository. Exploitation required an authenticated account on the instance with read access to at least one repository to use as the comparison base. This vulnerability affected all\n   versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, and 3.20.4. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T20:23:37.445Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.17-features"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.11-features"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.8-features"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.4-features"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Missing authorization vulnerability in GitHub Enterprise Server allowed disclosure of private repository contents via the Copilot pull request diff summary endpoint",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-9132",
        "datePublished": "2026-06-30T20:23:37.445Z",
        "dateReserved": "2026-05-20T18:18:07.930Z",
        "dateUpdated": "2026-07-01T15:37:50.129Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9106 (GCVE-0-2026-9106)

    Vulnerability from cvelistv5 – Published: 2026-06-30 20:21 – Updated: 2026-07-01 15:37
    VLAI
    Title
    UI misrepresentation vulnerability in GitHub Enterprise Server allowed unauthorized organization runner management via undisclosed OAuth scope on consent screen
    Summary
    A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-451 - User Interface (UI) Misrepresentation of Critical Information
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.17.0 , ≤ 3.17.16 (semver)
    Affected: 3.18.0 , ≤ 3.18.10 (semver)
    Affected: 3.19.0 , ≤ 3.19.7 (semver)
    Affected: 3.20.0 , ≤ 3.20.3 (semver)
    Affected: 3.21.0 , ≤ 3.21.1 (semver)
    Affected: 3.16.0 , ≤ 3.16.19 (semver)
    Create a notification for this product.
    Credits
    VAIBHAV SINGH (@vaib25vicky)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9106",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:37:19.373936Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:37:28.521Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.17.17",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.16",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.11",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.10",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.7",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.3",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.21.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.21.1",
                  "status": "affected",
                  "version": "3.21.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.16.20",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.19",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "VAIBHAV SINGH (@vaib25vicky)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization\u0027s runner management. An attacker could exploit this by creating an OAuth application requesting the \u003ccode\u003emanage_runners:org\u003c/code\u003e scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was  fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization\u0027s runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was  fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-173",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-173 Action Spoofing"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-451",
                  "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T13:03:08.700Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.17"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.11"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.8"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.4"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.2"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.20"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "UI misrepresentation vulnerability in GitHub Enterprise Server allowed unauthorized organization runner management via undisclosed OAuth scope on consent screen",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-9106",
        "datePublished": "2026-06-30T20:21:12.484Z",
        "dateReserved": "2026-05-20T17:12:51.109Z",
        "dateUpdated": "2026-07-01T15:37:28.521Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9312 (GCVE-0-2026-9312)

    Vulnerability from cvelistv5 – Published: 2026-05-27 00:02 – Updated: 2026-06-30 20:53
    VLAI
    Title
    Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint
    Summary
    A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.2. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.16.0 , ≤ 3.16.19 (semver)
    Affected: 3.17.0 , ≤ 3.17.16 (semver)
    Affected: 3.18.0 , ≤ 3.18.10 (semver)
    Affected: 3.19.0 , ≤ 3.19.7 (semver)
    Affected: 3.20.0 , ≤ 3.20.3 (semver)
    Affected: 3.21.0 , < 3.21.1 (semver)
    Create a notification for this product.
    Credits
    ahacker1
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9312",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T03:55:48.115Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.16.20",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.19",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.17",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.16",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.11",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.10",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.7",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.3",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.21.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.21.1",
                  "status": "affected",
                  "version": "3.21.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ahacker1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.2. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e"
                }
              ],
              "value": "A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.2. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T20:53:28.093Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.17"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.11"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.8"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.4"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.2"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-9312",
        "datePublished": "2026-05-27T00:02:32.159Z",
        "dateReserved": "2026-05-22T18:42:28.097Z",
        "dateUpdated": "2026-06-30T20:53:28.093Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8606 (GCVE-0-2026-8606)

    Vulnerability from cvelistv5 – Published: 2026-05-26 23:59 – Updated: 2026-05-27 13:50
    VLAI
    Title
    Server-Side Request Forgery in GitHub Enterprise Server via Advisory Package URL Endpoint
    Summary
    A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and measuring response timing, an attacker could infer the values of sensitive environment variables, including signing secrets and private keys. Exploitation required GitHub Packages to be enabled; on instances not running in private mode the vulnerability was exploitable without authentication, otherwise any authenticated user could exploit it. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21.1 and was fixed in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side request forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.21.0 , < 3.21.1 (semver)
    Affected: 3.20.0 , ≤ 3.20.2 (semver)
    Affected: 3.19.0 , ≤ 3.19.6 (semver)
    Affected: 3.18.0 , ≤ 3.18.9 (semver)
    Affected: 3.17.0 , ≤ 3.17.15 (semver)
    Affected: 3.16.0 , ≤ 3.16.18 (semver)
    Create a notification for this product.
    Credits
    R31n
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8606",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T13:50:00.819968Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T13:50:10.475Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.21.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.21.1",
                  "status": "affected",
                  "version": "3.21.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.2",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.7",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.6",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.10",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.9",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.16",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.15",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.16.19",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.18",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "R31n"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and measuring response timing, an attacker could infer the values of sensitive environment variables, including signing secrets and private keys. Exploitation required GitHub Packages to be enabled; on instances not running in private mode the vulnerability was exploitable without authentication, otherwise any authenticated user could exploit it. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21.1 and was fixed in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19. This vulnerability was reported via the GitHub Bug Bounty program."
                }
              ],
              "value": "A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and measuring response timing, an attacker could infer the values of sensitive environment variables, including signing secrets and private keys. Exploitation required GitHub Packages to be enabled; on instances not running in private mode the vulnerability was exploitable without authentication, otherwise any authenticated user could exploit it. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21.1 and was fixed in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            },
            {
              "capecId": "CAPEC-492",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-492 Regular Expression Exponential Blowup"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side request forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-26T23:59:41.742Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.1"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.3"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.7"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.10"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.16"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.19"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Server-Side Request Forgery in GitHub Enterprise Server via Advisory Package URL Endpoint",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-8606",
        "datePublished": "2026-05-26T23:59:41.742Z",
        "dateReserved": "2026-05-14T15:28:24.899Z",
        "dateUpdated": "2026-05-27T13:50:10.475Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8106 (GCVE-0-2026-8106)

    Vulnerability from cvelistv5 – Published: 2026-05-07 21:18 – Updated: 2026-05-08 13:07
    VLAI
    Title
    Reflected HTML injection vulnerability in GitHub Enterprise Server Management Console login page allowed credential theft
    Summary
    A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter on the /setup/unlock endpoint was reflected into an HTML attribute without proper sanitization, enabling an attacker to inject a form element that could capture administrator credentials. Exploitation required an administrator to click a crafted link and enter their credentials. This vulnerability affected GitHub Enterprise Server versions 3.19.1 through 3.19.5 and 3.20.0 through 3.20.1, and was fixed in versions 3.19.6 and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.19.1 , ≤ 3.19.5 (semver)
    Affected: 3.20.0 , ≤ 3.20.1 (semver)
    Unaffected: 3.19.0 (semver)
    Unaffected: 3.21.0 (semver)
    Create a notification for this product.
    Credits
    maksyche
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8106",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T13:07:24.192705Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T13:07:33.764Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.19.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.5",
                  "status": "affected",
                  "version": "3.19.1",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.1",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "3.21.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "maksyche"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter on the /setup/unlock endpoint was reflected into an HTML attribute without proper sanitization, enabling an attacker to inject a form element that could capture administrator credentials. Exploitation required an administrator to click a crafted link and enter their credentials. This vulnerability affected GitHub Enterprise Server versions 3.19.1 through 3.19.5 and 3.20.0 through 3.20.1, and was fixed in versions 3.19.6 and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter on the /setup/unlock endpoint was reflected into an HTML attribute without proper sanitization, enabling an attacker to inject a form element that could capture administrator credentials. Exploitation required an administrator to click a crafted link and enter their credentials. This vulnerability affected GitHub Enterprise Server versions 3.19.1 through 3.19.5 and 3.20.0 through 3.20.1, and was fixed in versions 3.19.6 and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-243",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-243 XSS Targeting HTML Attributes"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T21:18:59.259Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Reflected HTML injection vulnerability in GitHub Enterprise Server Management Console login page allowed credential theft",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-8106",
        "datePublished": "2026-05-07T21:18:59.259Z",
        "dateReserved": "2026-05-07T14:46:18.902Z",
        "dateUpdated": "2026-05-08T13:07:33.764Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8034 (GCVE-0-2026-8034)

    Vulnerability from cvelistv5 – Published: 2026-05-07 21:18 – Updated: 2026-05-08 13:03
    VLAI
    Title
    Server-side request forgery vulnerability in GitHub Enterprise Server notebook viewer via URL parser confusion
    Summary
    A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side request forgery (SSRF)
    • CWE-436 - Interpretation Conflict
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.16.0 , ≤ 3.16.17 (semver)
    Affected: 3.17.0 , ≤ 3.17.14 (semver)
    Affected: 3.18.0 , ≤ 3.18.8 (semver)
    Affected: 3.19.0 , ≤ 3.19.5 (semver)
    Affected: 3.20.0 , ≤ 3.20.1 (semver)
    Unaffected: 3.21.0 (semver)
    Create a notification for this product.
    Credits
    R31n
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8034",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T13:02:57.242500Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T13:03:12.627Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.16.18",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.17",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.15",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.14",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.9",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.8",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.5",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.1",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "3.21.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "R31n"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.9,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side request forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-436",
                  "description": "CWE-436 Interpretation Conflict",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T21:18:49.812Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.18"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.15"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.9"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Server-side request forgery vulnerability in GitHub Enterprise Server notebook viewer via URL parser confusion",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-8034",
        "datePublished": "2026-05-07T21:18:49.812Z",
        "dateReserved": "2026-05-06T13:06:48.690Z",
        "dateUpdated": "2026-05-08T13:03:12.627Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7541 (GCVE-0-2026-7541)

    Vulnerability from cvelistv5 – Published: 2026-05-07 21:18 – Updated: 2026-05-08 13:44
    VLAI
    Title
    Denial of service vulnerability in GitHub Enterprise Server allowed service disruption via unauthenticated API endpoint
    Summary
    A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of resources without limits or throttling
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.16.0 , ≤ 3.16.17 (semver)
    Affected: 3.17.0 , ≤ 3.17.14 (semver)
    Affected: 3.18.0 , ≤ 3.18.8 (semver)
    Affected: 3.19.0 , ≤ 3.19.5 (semver)
    Affected: 3.20.0 , ≤ 3.20.1 (semver)
    Create a notification for this product.
    Credits
    Nguyen Nhat Anh (GitHub: anh2025)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7541",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T13:44:37.884506Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T13:44:52.426Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.16.18",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.17",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.15",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.14",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.9",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.8",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.5",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.1",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nguyen Nhat Anh (GitHub: anh2025)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program."
                }
              ],
              "value": "A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-229",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-229 Serialized Data Parameter Blowup"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of resources without limits or throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T21:18:35.655Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.18"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.15"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.9"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Denial of service vulnerability in GitHub Enterprise Server allowed service disruption via unauthenticated API endpoint",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-7541",
        "datePublished": "2026-05-07T21:18:35.655Z",
        "dateReserved": "2026-04-30T18:42:48.142Z",
        "dateUpdated": "2026-05-08T13:44:52.426Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6736 (GCVE-0-2026-6736)

    Vulnerability from cvelistv5 – Published: 2026-05-07 21:14 – Updated: 2026-05-08 13:57
    VLAI
    Title
    Authentication bypass vulnerability in GitHub Enterprise Server allowed creation of local user accounts bypassing the configured external identity provider
    Summary
    An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication was enabled, the signup endpoint did not properly enforce the authentication restriction, allowing account creation and session establishment without identity provider validation. The created account was limited to the default base permissions configured on the instance. Exploitation required network access to a GHES instance configured with an external authentication provider. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.16.0 , ≤ 3.16.17 (semver)
    Affected: 3.17.0 , ≤ 3.17.14 (semver)
    Affected: 3.18.0 , ≤ 3.18.8 (semver)
    Affected: 3.19.0 , ≤ 3.19.5 (semver)
    Affected: 3.20.0 , ≤ 3.20.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6736",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T13:57:09.447908Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T13:57:18.111Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.16.18",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.17",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.15",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.14",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.9",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.8",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.5",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.1",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication was enabled, the signup endpoint did not properly enforce the authentication restriction, allowing account creation and session establishment without identity provider validation. The created account was limited to the default base permissions configured on the instance. Exploitation required network access to a GHES instance configured with an external authentication provider. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication was enabled, the signup endpoint did not properly enforce the authentication restriction, allowing account creation and session establishment without identity provider validation. The created account was limited to the default base permissions configured on the instance. Exploitation required network access to a GHES instance configured with an external authentication provider. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T21:27:45.553Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.18"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.15"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.9"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Authentication bypass vulnerability in GitHub Enterprise Server allowed creation of local user accounts bypassing the configured external identity provider",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-6736",
        "datePublished": "2026-05-07T21:14:33.490Z",
        "dateReserved": "2026-04-21T02:53:28.704Z",
        "dateUpdated": "2026-05-08T13:57:18.111Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5845 (GCVE-0-2026-5845)

    Vulnerability from cvelistv5 – Published: 2026-04-21 22:42 – Updated: 2026-04-22 18:04
    VLAI
    Title
    Improper authorization fallback allows scoped user-to-server token installation escape in GitHub Enterprise Server
    Summary
    An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization bypass through User-Controlled key
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.20.0 , < 3.20.1 (semver)
    Affected: 3.19.0 , ≤ 3.19.4 (semver)
    Affected: 3.18.0 , ≤ 3.18.7 (semver)
    Affected: 3.17.0 , ≤ 3.17.13 (semver)
    Affected: 3.16.0 , ≤ 3.16.16 (semver)
    Affected: 3.15.0 , ≤ 3.15.20 (semver)
    Affected: 3.14.0 , ≤ 3.14.25 (semver)
    Create a notification for this product.
    Credits
    ahacker1
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5845",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T18:03:53.486677Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T18:04:05.173Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.20.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.20.1",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.4",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.7",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.13",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.16.17",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.16",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.15.21",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.15.20",
                  "status": "affected",
                  "version": "3.15.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.14.26",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.14.25",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ahacker1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An improper authorization vulnerability in scoped user-to-server (\u003ccode\u003eghu_\u003c/code\u003e) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program."
                }
              ],
              "value": "An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            },
            {
              "capecId": "CAPEC-26",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-26 Leveraging Race Conditions"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization bypass through User-Controlled key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T22:42:13.198Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper authorization fallback allows scoped user-to-server token installation escape in GitHub Enterprise Server",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-5845",
        "datePublished": "2026-04-21T22:42:13.198Z",
        "dateReserved": "2026-04-08T18:28:58.486Z",
        "dateUpdated": "2026-04-22T18:04:05.173Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3307 (GCVE-0-2026-3307)

    Vulnerability from cvelistv5 – Published: 2026-04-21 22:23 – Updated: 2026-04-22 18:00
    VLAI
    Title
    Authorization bypass in GitHub Enterprise Server secret scanning push protection allows cross-repository modification of delegated bypass reviewers
    Summary
    An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body. Authorization was verified against the repository in the URL, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers; it does not allow adding arbitrary external users. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.14.0 , ≤ 3.14.24 (semver)
    Affected: 3.15.0 , ≤ 3.15.19 (semver)
    Affected: 3.16.0 , ≤ 3.16.15 (semver)
    Affected: 3.17.0 , ≤ 3.17.12 (semver)
    Affected: 3.18.0 , ≤ 3.18.6 (semver)
    Affected: 3.19.0 , ≤ 3.19.3 (semver)
    Affected: 3.20 , ≤ 3.20.0 (semver)
    Create a notification for this product.
    Credits
    ahacker1
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3307",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T17:59:58.981543Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T18:00:21.619Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.14.25",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.14.24",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.15.20",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.15.19",
                  "status": "affected",
                  "version": "3.15.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.16.16",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.15",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.13",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.12",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.7",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.6",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.4",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.3",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.20.0",
                  "status": "affected",
                  "version": "3.20",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ahacker1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body. Authorization was verified against the repository in the URL, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers; it does not allow adding arbitrary external users. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e"
                }
              ],
              "value": "An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body. Authorization was verified against the repository in the URL, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers; it does not allow adding arbitrary external users. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-58",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-58 Restful Privilege Elevation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T22:23:25.045Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.25"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.20"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.16"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.13"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.7"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.4"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Authorization bypass in GitHub Enterprise Server secret scanning push protection allows cross-repository modification of delegated bypass reviewers",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-3307",
        "datePublished": "2026-04-21T22:23:25.045Z",
        "dateReserved": "2026-02-26T21:00:43.352Z",
        "dateUpdated": "2026-04-22T18:00:21.619Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5512 (GCVE-0-2026-5512)

    Vulnerability from cvelistv5 – Published: 2026-04-21 22:12 – Updated: 2026-04-22 17:39
    VLAI
    Title
    Improper authorization vulnerability in GitHub Enterprise Server allowed disclosure of private repository names via mobile upload policy API
    Summary
    An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric ID. The mobile upload policy API endpoint did not perform an early authorization check, and validation error messages included the full repository name for repositories the caller did not have access to. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of sensitive information into sent data
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.14.0 , ≤ 3.14.25 (semver)
    Affected: 3.15.0 , ≤ 3.15.20 (semver)
    Affected: 3.16.0 , ≤ 3.16.16 (semver)
    Affected: 3.17.0 , ≤ 3.17.13 (semver)
    Affected: 3.18.0 , ≤ 3.18.7 (semver)
    Affected: 3.19.0 , ≤ 3.19.4 (semver)
    Affected: 3.20.0 , < 3.20.1 (semver)
    Create a notification for this product.
    Credits
    ahacker1
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5512",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T17:38:49.635439Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T17:39:01.520Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.14.26",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.14.25",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.15.21",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.15.20",
                  "status": "affected",
                  "version": "3.15.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.16.17",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.16",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.13",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.7",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.4",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.20.1",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ahacker1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric ID. The mobile upload policy API endpoint did not perform an early authorization check, and validation error messages included the full repository name for repositories the caller did not have access to. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e"
                }
              ],
              "value": "An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric ID. The mobile upload policy API endpoint did not perform an early authorization check, and validation error messages included the full repository name for repositories the caller did not have access to. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-113",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-113 Interface Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201 Insertion of sensitive information into sent data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T22:14:01.033Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5"
            },
            {
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Improper authorization vulnerability in GitHub Enterprise Server allowed disclosure of private repository names via mobile upload policy API",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-5512",
        "datePublished": "2026-04-21T22:12:58.344Z",
        "dateReserved": "2026-04-03T18:21:52.907Z",
        "dateUpdated": "2026-04-22T17:39:01.520Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4296 (GCVE-0-2026-4296)

    Vulnerability from cvelistv5 – Published: 2026-04-21 22:12 – Updated: 2026-04-22 13:16
    VLAI
    Title
    Incorrect Regular Expression vulnerability in GitHub Enterprise Server allowed unauthorized access to user accounts via OAuth callback URL validation bypass
    Summary
    An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious authorization link that, when clicked by a victim, would redirect the OAuth authorization code to an attacker-controlled domain. This could allow the attacker to gain unauthorized access to the victim's account with the scopes granted to the OAuth application. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-185 - Incorrect Regular Expression
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.14.0 , ≤ 3.14.25 (semver)
    Affected: 3.15.0 , ≤ 3.15.20 (semver)
    Affected: 3.16.0 , ≤ 3.16.16 (semver)
    Affected: 3.17.0 , ≤ 3.17.13 (semver)
    Affected: 3.18.0 , ≤ 3.18.7 (semver)
    Affected: 3.19.0 , ≤ 3.19.4 (semver)
    Affected: 3.20.0 , < 3.20.1 (semver)
    Create a notification for this product.
    Credits
    ahacker1 hacktron
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4296",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T13:16:42.627751Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T13:16:53.004Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.14.26",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.14.25",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.15.21",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.15.20",
                  "status": "affected",
                  "version": "3.15.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.16.17",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.16.16",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.17.13",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.18.7",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.19.4",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.20.1",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ahacker1"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "hacktron"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application\u0027s registered callback URL could craft a malicious authorization link that, when clicked by a victim, would redirect the OAuth authorization code to an attacker-controlled domain. This could allow the attacker to gain unauthorized access to the victim\u0027s account with the scopes granted to the OAuth application. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e"
                }
              ],
              "value": "An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application\u0027s registered callback URL could craft a malicious authorization link that, when clicked by a victim, would redirect the OAuth authorization code to an attacker-controlled domain. This could allow the attacker to gain unauthorized access to the victim\u0027s account with the scopes granted to the OAuth application. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-185",
                  "description": "CWE-185 Incorrect Regular Expression",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T22:12:45.356Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Incorrect Regular Expression vulnerability in GitHub Enterprise Server allowed unauthorized access to user accounts via OAuth callback URL validation bypass",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-4296",
        "datePublished": "2026-04-21T22:12:45.356Z",
        "dateReserved": "2026-03-16T17:48:03.040Z",
        "dateUpdated": "2026-04-22T13:16:53.004Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4821 (GCVE-0-2026-4821)

    Vulnerability from cvelistv5 – Published: 2026-04-21 22:12 – Updated: 2026-06-10 04:53
    VLAI

    This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it was published in error.

    Show details on NVD website

    {
      "containers": {
        "cna": {
          "providerMetadata": {
            "dateUpdated": "2026-06-10T04:53:20.658Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "rejectedReasons": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it was published in error."
                }
              ],
              "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it was published in error."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-4821",
        "datePublished": "2026-04-21T22:12:26.772Z",
        "dateRejected": "2026-06-10T04:53:20.658Z",
        "dateReserved": "2026-03-25T13:55:26.048Z",
        "dateUpdated": "2026-06-10T04:53:20.658Z",
        "state": "REJECTED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5921 (GCVE-0-2026-5921)

    Vulnerability from cvelistv5 – Published: 2026-04-21 22:11 – Updated: 2026-04-22 13:18
    VLAI
    Title
    Server-Side Request Forgery in GitHub Enterprise Server allowed extraction of sensitive environment variables via timing side-channel attack
    Summary
    A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance's open redirect endpoint through an external redirect to reach internal services. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    GitHub Enterprise Server Affected: 3.14.0 , < 3.14.26 (semver)
    Affected: 3.15.0 , < 3.15.21 (semver)
    Affected: 3.16.0 , < 3.16.17 (semver)
    Affected: 3.17.0 , < 3.17.14 (semver)
    Affected: 3.18.0 , < 3.18.8 (semver)
    Affected: 3.19.0 , < 3.19.5 (semver)
    Affected: 3.20.0 , < 3.20.1 (semver)
    Create a notification for this product.
    Credits
    R31n
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5921",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T13:17:53.690876Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T13:18:03.644Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Enterprise Server",
              "vendor": "GitHub",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.14.26",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.14.26",
                  "status": "affected",
                  "version": "3.14.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.15.21",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.15.21",
                  "status": "affected",
                  "version": "3.15.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.16.17",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.16.17",
                  "status": "affected",
                  "version": "3.16.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.17.14",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.17.14",
                  "status": "affected",
                  "version": "3.17.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.18.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.18.8",
                  "status": "affected",
                  "version": "3.18.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.19.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.19.5",
                  "status": "affected",
                  "version": "3.19.0",
                  "versionType": "semver"
                },
                {
                  "changes": [
                    {
                      "at": "3.20.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "3.20.1",
                  "status": "affected",
                  "version": "3.20.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "R31n"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance\u0027s open redirect endpoint through an external redirect to reach internal services.\u0026nbsp;This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance\u0027s open redirect endpoint through an external redirect to reach internal services.\u00a0This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-462",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-462 Cross-Domain Search Timing"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.9,
                "baseSeverity": "HIGH",
                "exploitMaturity": "PROOF_OF_CONCEPT",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:P",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T22:11:28.950Z",
            "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
            "shortName": "GitHub_P"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.26"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.21"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.17"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.14"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.8"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.5"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Server-Side Request Forgery in GitHub Enterprise Server allowed extraction of sensitive environment variables via timing side-channel attack",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "assignerShortName": "GitHub_P",
        "cveId": "CVE-2026-5921",
        "datePublished": "2026-04-21T22:11:02.077Z",
        "dateReserved": "2026-04-08T20:59:17.367Z",
        "dateUpdated": "2026-04-22T13:18:03.644Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }