Description
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed DOM-based cross-site scripting via task list content. The task list content extraction logic did not properly re-encode browser-decoded text nodes before rendering, allowing user-supplied HTML to be injected into the page. An authenticated attacker could craft malicious task list items in issues or pull requests to execute arbitrary scripts in the context of another user's browser session. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program.
Published: 2026-03-10
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: DOM‑based Cross‑Site Scripting (XSS)
Action: Immediate Patch
AI Analysis

Impact

An authentication‑bound flaw in the task list content extraction logic of GitHub Enterprise Server allows malicious content to be injected into the page. The vulnerable code fails to re‑encode browser‑decoded text nodes, permitting a user to place arbitrary HTML in an issue or pull request task. When rendered, the browser executes any embedded script in the context of the victim’s session, giving the attacker the capability to steal credentials, deface content or perform other malicious actions. The root weakness is improper input validation (CWE‑79).

Affected Systems

GitHub Enterprise Server is affected across all releases preceding 3.20. The rapid release cycle issued fixes in version 3.18.6 and in 3.19.3. Any instance running 3.18.0‑3.18.5, 3.19.0‑3.19.2, or earlier 3.17.x and older is vulnerable. The issue was addressed by patching the extraction logic to properly neutralize input before rendering.

Risk and Exploitability

With a CVSS score of 7.4, this vulnerability poses a high severity risk, yet its EPSS score is below 1 %, indicating a low yet non‑zero likelihood of exploitation. The vulnerability is not listed in the KEV catalog. An authenticated attacker can craft a malicious task list that, when viewed by another user, triggers arbitrary script execution. The primary attack vector is through the web interface where valid users add or edit content; therefore, environments with many authenticated users and open issue discussion are at higher risk. Prompt patching mitigates the risk entirely.

Generated by OpenCVE AI on April 16, 2026 at 03:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest GitHub Enterprise Server release (3.18.6 or newer, or 3.19.3 or newer) to apply the fix for the XSS issue.
  • If an upgrade cannot be performed immediately, restrict the creation or editing of task list items for unauthenticated users and consider disabling task lists until a patch is available.
  • Audit existing repository content for potentially malicious task list entries and either sanitize or delete any that contain unexpected HTML.
  • Monitor for unusual script activity or unauthorized session hijacking events in the application logs.

Generated by OpenCVE AI on April 16, 2026 at 03:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Github
Github enterprise Server
Vendors & Products Github
Github enterprise Server

Tue, 10 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed DOM-based cross-site scripting via task list content. The task list content extraction logic did not properly re-encode browser-decoded text nodes before rendering, allowing user-supplied HTML to be injected into the page. An authenticated attacker could craft malicious task list items in issues or pull requests to execute arbitrary scripts in the context of another user's browser session. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program.
Title Improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting via task list content and enabled arbitrary HTML injection
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Github Enterprise Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published:

Updated: 2026-03-11T14:15:09.704Z

Reserved: 2026-02-09T20:09:11.272Z

Link: CVE-2026-2266

cve-icon Vulnrichment

Updated: 2026-03-11T14:15:05.756Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T20:16:39.610

Modified: 2026-03-12T18:43:27.720

Link: CVE-2026-2266

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses