Volerion logoVolerion
Volerion logoVolerion

GitHub Enterprise Server DOM-Based Cross-Site Scripting Vulnerability

Vulnerability

A DOM-based cross-site scripting vulnerability has been identified in GitHub Enterprise Server. This issue arises from improper handling of task list content, which allowed user-supplied HTML to be injected and executed as scripts in the context of another user's browser session. The vulnerability affects all versions of GitHub Enterprise Server prior to 3.20. An authenticated attacker could exploit this by crafting malicious task list items in issues or pull requests.

Impact

Exploitation of this vulnerability allows for arbitrary script execution in the context of the affected user's browser session, potentially leading to session hijacking or other malicious actions.

Reproduction

To reproduce this vulnerability, an authenticated user can create a task list item in an issue or pull request that includes malicious HTML. When the task list is rendered, the injected HTML is executed as a script in the browser, bypassing Content Security Policy protections.

Remediation

Users can upgrade to GitHub Enterprise Server versions 3.18.6 or 3.19.3, both of which include the necessary fix.

Added: Mar 10, 2026, 8:22 PM
Updated: Mar 10, 2026, 8:22 PM

Vulnerability Rating

Custom Algorithm
spread
1.9
impact
1.7
exploitability
5.3
remediation
7.7
relevance
3.7
threat
1.6
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.