Github Enterprise Server vulnerabilities
113 known vulnerabilities affecting github/enterprise_server.
Total CVEs
113
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL18HIGH33MEDIUM58LOW4
Vulnerabilities
Page 4 of 6
CVE-2023-22380P3MEDIUMCVSS 6.5≥ 3.7.0, < 3.7.62023-02-16
CVE-2023-22380 [MEDIUM] CWE-22 CVE-2023-22380: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary fil
A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterpris
nvd
CVE-2024-1908P3MEDIUMCVSS 6.5fixed in 3.8.16≥ 3.9.0, < 3.9.11+3 more2024-03-21
CVE-2024-1908 [MEDIUM] CWE-269 CVE-2024-1908: An Improper Privilege Management vulnerability was identified in GitHub Enterprise Server that allow
An Improper Privilege Management vulnerability was identified in GitHub Enterprise Server that allowed an attacker to use the Enterprise Actions GitHub Connect download token to fetch private repository data. An attacker would require an account on the server instance with non-default settings for GitHub Connect. This vulnerability affected all versio
nvd
CVE-2024-5566P3MEDIUMCVSS 6.5≥ 3.9.0, < 3.9.17≥ 3.10.0, < 3.10.14+3 more2024-07-16
CVE-2024-5566 [MEDIUM] CWE-269 CVE-2024-5566: An improper privilege management vulnerability allowed users to migrate private repositories without
An improper privilege management vulnerability allowed users to migrate private repositories without having appropriate scopes defined on the related Personal Access Token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in version 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17.
nvd
CVE-2024-10001P3HIGHCVSS 7.1fixed in 3.11.6≥ 3.12.0, < 3.12.10+7 more2025-01-29
CVE-2024-10001 [HIGH] CWE-94 CVE-2024-10001: A Code Injection vulnerability was identified in GitHub Enterprise Server that allowed attackers to
A Code Injection vulnerability was identified in GitHub Enterprise Server that allowed attackers to inject malicious code into the query selector via the identity property in the message handling function. This enabled the exfiltration of sensitive data by manipulating the DOM, including authentication tokens. To execute the attack, the victim must be l
nvd
CVE-2022-23737P3MEDIUMCVSS 6.5fixed in 3.2.20≥ 3.3.0, < 3.3.15+3 more2022-12-01
CVE-2022-23737 [MEDIUM] CWE-269 CVE-2022-23737: An improper privilege management vulnerability was identified in GitHub Enterprise Server that allow
An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write permissions. This vulnerability affected all versions of GitHub Enterprise
nvd
CVE-2022-46258P3MEDIUMCVSS 6.5fixed in 3.3.16≥ 3.4.0, < 3.4.11+2 more2023-01-09
CVE-2022-46258 [MEDIUM] CWE-863 CVE-2022-46258: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a r
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify Action Workflow files without a Workflow scope. The Create or Update file contents API should enforce workflow scope. This vulnerability affected all versions of GitHub Enterprise Server prior to
nvd
CVE-2024-8810P3MEDIUMCVSS 6.5≥ 3.10.0, < 3.10.17≥ 3.11.0, < 3.11.15+8 more2024-11-07
CVE-2024-8810 [MEDIUM] CWE-269 CVE-2024-8810: A GitHub App installed in organizations could upgrade some permissions from read to write access wit
A GitHub App installed in organizations could upgrade some permissions from read to write access without approval from an organization administrator. An attacker would require an account with administrator access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versi
nvd
CVE-2026-8606P3MEDIUMCVSS 5.9fixed in 3.16.19≥ 3.17.0, < 3.17.16+10 more2026-05-27
CVE-2026-8606 [MEDIUM] CWE-918 CVE-2026-8606: A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that a
A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and measuring response timing, an attacker could infer the val
nvd
CVE-2025-3246P3HIGHCVSS 7.6v3.16.12025-04-17
CVE-2025-3246 [HIGH] CWE-79 CVE-2025-3246: An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that al
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting in GitHub Markdown that used `$$..$$` math blocks. Exploitation required access to the target GitHub Enterprise Server instance and privileged user interaction with the malicious elements. This vulnerability affected version 3.16
nvd
CVE-2021-22865P3MEDIUMCVSS 6.5fixed in 2.21.18≥ 2.22.0, < 2.22.10+1 more2021-04-02
CVE-2021-22865 [MEDIUM] CWE-285 CVE-2021-22865: An improper access control vulnerability was identified in GitHub Enterprise Server that allowed acc
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub App's web authentication flow to read private repository metadata via the REST API without having been granted the appropriate permissions. To exploit this vulnerability, an attacker would need to create a GitHub App
nvd
CVE-2023-23765P3MEDIUMCVSS 6.5≥ 3.6.0, < 3.6.16≥ 3.7.0, < 3.7.13+3 more2023-08-30
CVE-2023-23765 [MEDIUM] CWE-697 CVE-2023-23765: An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability was reported via the GitHub Bug Bounty Program https://bounty.github.com/
nvd
CVE-2026-9132P3MEDIUMCVSS 6.0≥ 3.17.0, ≤ 3.17.16≥ 3.18.0, ≤ 3.18.10+2 more2026-06-30
CVE-2026-9132 [MEDIUM] CWE-862 CVE-2026-9132: A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an aut
A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The
Copilot pull request description diff summary endpoint accepted a cross-repository comparison range and rendered the resulting diff without verifying that the
nvd
CVE-2023-46649P3HIGHCVSS 7.0≥ 3.7.0, < 3.7.19≥ 3.8.0, < 3.8.12+8 more2023-12-21
CVE-2023-46649 [HIGH] CWE-367 CVE-2023-46649: A race condition in GitHub Enterprise Server was identified that could allow an attacker administrat
A race condition in GitHub Enterprise Server was identified that could allow an attacker administrator access. To exploit this, an organization needs to be converted from a user. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1.
nvd
CVE-2024-5795P3MEDIUMCVSS 6.5≥ 3.9.0, < 3.9.17≥ 3.10.0, < 3.10.14+3 more2024-07-16
CVE-2024-5795 [MEDIUM] CWE-400 CVE-2024-5795: A Denial of Service vulnerability was identified in GitHub Enterprise Server that allowed an attacke
A Denial of Service vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause unbounded resource exhaustion by sending a large payload to the Git server. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in version 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnera
nvd
CVE-2024-2440P4MEDIUMCVSS 5.9fixed in 3.9.13≥ 3.10.0, < 3.10.10+6 more2024-04-19
CVE-2024-2440 [MEDIUM] CWE-367 CVE-2024-2440: A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on a
A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on a detached repository by making a GraphQL mutation to alter repository permissions while the repository is detached. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.13 and was fixed in versions 3.9.13, 3.10.10, 3.11.8 and 3.
nvd
CVE-2026-10585P4MEDIUMCVSS 6.3≥ 3.17.0, ≤ 3.17.16≥ 3.18.0, ≤ 3.18.10+2 more2026-06-30
CVE-2026-10585 [MEDIUM] CWE-79 CVE-2026-10585: A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed
A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user's browser by injecting a crafted payload into the title of a Discussion in the Q&A category. The AnsweredQuestionStructuredDataComponent did not escape user-controlled Discussion
nvd
CVE-2024-5815P4MEDIUMCVSS 6.5≥ 3.9.0, < 3.9.17≥ 3.10.0, < 3.10.14+3 more2024-07-16
CVE-2024-5815 [MEDIUM] CWE-352 CVE-2024-5815: A Cross-Site Request Forgery vulnerability in GitHub Enterprise Server allowed write operations on a
A Cross-Site Request Forgery vulnerability in GitHub Enterprise Server allowed write operations on a victim-owned repository by exploiting incorrect request types. A mitigating factor is that the attacker would have to be a trusted GitHub Enterprise Server user, and the victim would have to visit a tag in the attacker's fork of their own repository. v
nvd
CVE-2025-14046P4MEDIUMCVSS 6.1fixed in 3.14.21≥ 3.15.0, < 3.15.16+8 more2025-12-11
CVE-2025-14046 [MEDIUM] CWE-79 CVE-2025-14046: An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that al
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side
nvd
CVE-2023-23762P4MEDIUMCVSS 5.3fixed in 3.4.18≥ 3.5.0, < 3.5.15+8 more2023-04-07
CVE-2023-23762 [MEDIUM] CWE-697 CVE-2023-23762: An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff. To do so, an attacker would need write access to the repository and be able to correctly guess the target branch before it’s created by the code maintainer. This vulnerability affected all versions of GitHub
nvd
CVE-2022-23738P4MEDIUMCVSS 5.7≥ 3.2.0, < 3.2.20≥ 3.3.0, < 3.3.15+3 more2022-11-01
CVE-2022-23738 [MEDIUM] CWE-200 CVE-2022-23738: An improper cache key vulnerability was identified in GitHub Enterprise Server that allowed an unaut
An improper cache key vulnerability was identified in GitHub Enterprise Server that allowed an unauthorized actor to access private repository files through a public repository. To exploit this, an actor would need to already be authorized on the GitHub Enterprise Server instance, be able to create a public repository, and have a site administrator
nvd