CVE-2026-2266

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed DOM-based cross-site scripting via task list content. The task list content extraction logic did not properly re-encode browser-decoded text nodes before rendering, allowing user-supplied HTML to be injected into the page. An authenticated attacker could craft malicious task list items in issues or pull requests to execute arbitrary scripts in the context of another user's browser session. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.6	Release Notes
https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.3	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::

History

12 Mar 2026, 18:43

Type	Values Removed	Values Added
First Time		Github Github enterprise Server
CPE		cpe:2.3:a:github:enterprise_server::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
References	~~() https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.6 -~~	() https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.6 - Release Notes
References	~~() https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.3 -~~	() https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.3 - Release Notes

11 Mar 2026, 13:52

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de neutralización de entrada inadecuada fue identificada en GitHub Enterprise Server que permitía cross-site scripting basado en DOM a través del contenido de listas de tareas. La lógica de extracción de contenido de listas de tareas no recodificaba correctamente los nodos de texto decodificados por el navegador antes de la renderización, permitiendo que HTML proporcionado por el usuario fuera inyectado en la página. Un atacante autenticado podría crear elementos maliciosos de listas de tareas en incidencias o solicitudes de extracción para ejecutar scripts arbitrarios en el contexto de la sesión del navegador de otro usuario. Esta vulnerabilidad afectó a todas las versiones de GitHub Enterprise Server anteriores a la 3.20 y fue corregida en las versiones 3.18.6 y 3.19.3. Esta vulnerabilidad fue reportada a través del programa GitHub Bug Bounty.

10 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 20:16

Updated : 2026-03-12 18:43

NVD link : CVE-2026-2266

Mitre link : CVE-2026-2266

CVE.ORG link : CVE-2026-2266

JSON object : View

Products Affected

github

enterprise_server

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10