A reflected HTML injection flaw exists in the GitHub Enterprise Server Management Console login page. The redirect_to query parameter on the /setup/unlock endpoint is inserted directly into an HTML attribute without sanitization, allowing an attacker to embed a malicious form that captures credentials. An admin who clicks a crafted link and enters their username and password could have those credentials harvested. This issue does not provide remote code execution but enables credential theft through a user‑interaction attack.

GitHub Enterprise Server is affected. Versions 3.19.1 through 3.19.5 and 3.20.0 through 3.20.1 contain the flaw, while versions 3.19.6 and 3.20.2 contain the fix.

With a CVSS score of 5.9 the vulnerability is of moderate risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, which suggests it has not yet been widely exploited. Exploitation requires social engineering – an attacker would need to deliver a link to an administrator and rely on the admin to click it and submit credentials. The required user interaction and the lack of a propagation mechanism keep the attack surface relatively low, but the potential for credential compromise makes the risk significant for systems where privileged accounts are at stake.