Primary

Context

GitHub Enterprise Server Shell Metacharacter Injection Vulnerability Allowing Arbitrary Command Execution

Vulnerability

Patched

A vulnerability in GitHub Enterprise Server prior to 3.21 allows authenticated Management Console administrators to execute arbitrary operating system commands. This is achieved through shell metacharacter injection in proxy configuration fields, such as http_proxy. Exploitation requires access to the GitHub Enterprise Server instance and administrator privileges in the Management Console.

Impact

Successful exploitation allows for arbitrary command execution on the server as the admin OS user.

Remediation

Users can upgrade to GitHub Enterprise Server versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, or 3.14.26.

Added: Apr 21, 2026, 11:59 PM

Updated: Apr 21, 2026, 11:59 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

7.5

exploitability

4.8

remediation

7.7

relevance

6.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

7.5

exploitability

4.8

remediation

7.7

relevance

6.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GitHub Enterprise Server Shell Metacharacter Injection Vulnerability Allowing Arbitrary Command Execution

Vulnerability

Impact

Remediation

Affected Products

GitHub Enterprise Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating