Primary

Context

GitHub Enterprise Server Server-Side Request Forgery Vulnerability in Notebook Viewer

Vulnerability

Patched

A server-side request forgery (SSRF) vulnerability exists in the GitHub Enterprise Server notebook viewer, affecting all versions prior to 3.21. This vulnerability allows attackers to access internal services by exploiting a mismatch in URL parsing between the validation layer and the HTTP request library. Exploitation requires network access to the GitHub Enterprise Server instance with private mode disabled.

Impact

Exploitation of this vulnerability could lead to unauthorized access of internal services, potentially allowing attackers to manipulate or disrupt those services.

Remediation

This vulnerability has been fixed in GitHub Enterprise Server versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2.

Added: May 7, 2026, 10:35 PM

Updated: May 7, 2026, 10:35 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

0.4

exploitability

6.8

remediation

7.7

relevance

7.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

0.4

exploitability

6.8

remediation

7.7

relevance

7.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GitHub Enterprise Server Server-Side Request Forgery Vulnerability in Notebook Viewer

Vulnerability

Impact

Remediation

Affected Products

GitHub Enterprise Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating