Github Enterprise Server vulnerabilities
113 known vulnerabilities affecting github/enterprise_server.
Total CVEs
113
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL18HIGH33MEDIUM58LOW4
Vulnerabilities
Page 2 of 6
CVE-2024-1372P3CRITICALCVSS 9.1fixed in 3.8.15≥ 3.9.0, < 3.9.10+3 more2024-02-13
CVE-2024-1372 [CRITICAL] CWE-20 CVE-2024-1372: A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacke
A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when configuring SAML settings. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console w
nvd
CVE-2024-1359P3CRITICALCVSS 9.1fixed in 3.8.15≥ 3.9.0, < 3.9.10+6 more2024-02-13
CVE-2024-1359 [CRITICAL] CWE-20 CVE-2024-1359: A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacke
A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when setting up an HTTP proxy. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console wi
nvd
CVE-2025-23369P3HIGHCVSS 8.8fixed in 3.12.14≥ 3.13.0, < 3.13.10+6 more2025-01-21
CVE-2025-23369 [HIGH] CWE-347 CVE-2025-23369: An improper verification of cryptographic signature vulnerability was identified in GitHub Enterpris
An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed signature spoofing for unauthorized internal users. Instances not utilizing SAML single sign-on or where the attacker is not already an existing user were not impacted. This vulnerability affected all versions of GitHub Enterprise
nvd
CVE-2022-23740P3HIGHCVSS 8.8v3.7.02022-11-23
CVE-2022-23740 [HIGH] CWE-88 CVE-2022-23740: CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identifie
CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This vulnerability affected only version 3.7.0 of GitHub Enterprise
nvd
CVE-2023-23760P3HIGHCVSS 8.8fixed in 3.4.17≥ 3.5.0, < 3.5.14+6 more2023-03-08
CVE-2023-23760 [HIGH] CWE-22 CVE-2023-23760: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code e
A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise S
nvd
CVE-2026-5921P3HIGHCVSS 8.9fixed in 3.14.26≥ 3.15.0, < 3.15.21+7 more2026-04-21
CVE-2026-5921 [HIGH] CWE-918 CVE-2026-5921: A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that a
A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating t
nvd
CVE-2022-23739P3CRITICALCVSS 9.8fixed in 3.3.16≥ 3.4.0, < 3.4.11+3 more2023-01-17
CVE-2022-23739 [CRITICAL] CWE-863 CVE-2022-23739: An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for es
An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain access to and modify most organization-level resources that are not tied to a repository regardless of granted pe
nvd
CVE-2024-10007P3CRITICALCVSS 9.1fixed in 3.11.17≥ 3.12.0, < 3.12.11+6 more2024-11-07
CVE-2024-10007 [CRITICAL] CWE-59 CVE-2024-10007: A path collision and arbitrary code execution vulnerability was identified in GitHub Enterprise Serv
A path collision and arbitrary code execution vulnerability was identified in GitHub Enterprise Server that allowed container escape to escalate to root via ghe-firejail path. Exploitation of this vulnerability requires Enterprise Administrator access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enter
nvd
CVE-2023-46647P3HIGHCVSS 8.8≥ 3.8.0, < 3.8.12≥ 3.9.0, < 3.9.6+4 more2023-12-21
CVE-2023-46647 [HIGH] CWE-269 CVE-2023-46647: Improper privilege management in all versions of GitHub Enterprise Server allows users with authoriz
Improper privilege management in all versions of GitHub Enterprise Server allows users with authorized access to the management console with an editor role to escalate their privileges by making requests to the endpoint used for bootstrapping the instance. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in ve
nvd
CVE-2023-22381P3HIGHCVSS 8.8fixed in 3.4.15≥ 3.5.0, < 3.5.12+6 more2023-03-02
CVE-2023-22381 [HIGH] CWE-94 CVE-2023-22381: A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbit
A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need existing permission to control the value of environment variables for use with
nvd
CVE-2026-4296P3HIGHCVSS 8.8fixed in 3.14.26≥ 3.15.0, < 3.15.21+12 more2026-04-21
CVE-2026-4296 [HIGH] CWE-185 CVE-2026-4296: An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowe
An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious authorization link that, when clicked by a victim, would redirect the OAuth authorizatio
nvd
CVE-2022-23732P3HIGHCVSS 8.8fixed in 3.1.19≥ 3.2.0, < 3.2.11+2 more2022-04-05
CVE-2022-23732 [HIGH] CWE-23 CVE-2022-23732: A path traversal vulnerability was identified in GitHub Enterprise Server management console that al
A path traversal vulnerability was identified in GitHub Enterprise Server management console that allowed the bypass of CSRF protections. This could potentially lead to privilege escalation. To exploit this vulnerability, an attacker would need to target a user that was actively logged into the management console. This vulnerability affected all versio
nvd
CVE-2025-11892P3CRITICALCVSS 9.6fixed in 3.14.19≥ 3.15.0, < 3.15.14+8 more2025-11-10
CVE-2025-11892 [CRITICAL] CWE-79 CVE-2025-11892: An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that al
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead to privilege escalation and unauthorized workflow triggers. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance
nvd
CVE-2024-1354P3HIGHCVSS 8.0fixed in 3.8.15≥ 3.9.0, < 3.9.10+3 more2024-02-13
CVE-2024-1354 [HIGH] CWE-20 CVE-2024-1354: A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacke
A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via the `syslog-ng` configuration file. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Conso
nvd
CVE-2025-3509P3HIGHCVSS 7.2fixed in 3.13.16≥ 3.14.0, < 3.14.13+8 more2025-04-17
CVE-2025-3509 [HIGH] CWE-94 CVE-2025-3509: A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed
A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute arbitrary code by exploiting the pre-receive hook functionality, potentially leading to privilege escalation and system compromise. The vulnerability involves using dynamically allocated ports that become temporarily available, such as
nvd
CVE-2025-11578P3HIGHCVSS 7.2≥ 3.14.0, < 3.14.20≥ 3.15.0, < 3.15.15+8 more2025-11-10
CVE-2025-11578 [HIGH] CWE-59 CVE-2025-11578: A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an auth
A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root SSH access to the appliance by exploiting a symlink escape in pre-receive hook environments. By crafting a malicious repository and environment, an attacker could replace system binaries during hook cleanup and exe
nvd
CVE-2024-2469P3HIGHCVSS 7.2fixed in 3.8.17≥ 3.9.0, < 3.9.12+8 more2024-03-20
CVE-2024-2469 [HIGH] CWE-20 CVE-2024-2469: An attacker with an Administrator role in GitHub Enterprise Server could gain SSH root access via re
An attacker with an Administrator role in GitHub Enterprise Server could gain SSH root access via remote code execution. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.17, 3.9.12, 3.10.9, 3.11.7 and 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program.
nvd
CVE-2024-2443P3HIGHCVSS 7.2fixed in 3.8.17≥ 3.9.0, < 3.9.12+3 more2024-03-20
CVE-2024-2443 [HIGH] CWE-20 CVE-2024-2443: A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacke
A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when configuring GeoJSON settings. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console wi
nvd
CVE-2024-3646P3HIGHCVSS 7.2fixed in 3.9.13≥ 3.10.0, < 3.10.10+3 more2024-04-19
CVE-2024-3646 [HIGH] CWE-20 CVE-2024-3646: A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacke
A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the instance when configuring the chat integration. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console
nvd
CVE-2023-6847P3HIGHCVSS 7.5≥ 3.9.0, < 3.9.7≥ 3.10.0, < 3.10.4+2 more2023-12-21
CVE-2023-6847 [HIGH] CWE-287 CVE-2023-6847: An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a b
An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of Private Mode by using a specially crafted API request. To exploit this vulnerability, an attacker would need network access to the Enterprise Server appliance configured in Private Mode. This vulnerability affected all versions of GitHub Enterpri
nvd