Github Enterprise Server vulnerabilities
113 known vulnerabilities affecting github/enterprise_server.
Total CVEs
113
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL18HIGH33MEDIUM58LOW4
Vulnerabilities
Page 5 of 6
CVE-2023-6746P4MEDIUMCVSS 5.7≥ 3.7.0, < 3.7.19≥ 3.8.0, < 3.8.12+8 more2023-12-21
CVE-2023-6746 [MEDIUM] CWE-532 CVE-2023-6746: An insertion of sensitive information into log file vulnerability was identified in the log files fo
An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server back-end service that could permit an `adversary in the middle attack` when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server appliance,
nvd
CVE-2024-5816P4MEDIUMCVSS 5.3≥ 3.9.0, < 3.9.17≥ 3.10.0, < 3.10.14+3 more2024-07-16
CVE-2024-5816 [MEDIUM] CWE-863 CVE-2024-5816: An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a s
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a suspended GitHub App to retain access to the repository via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. This vulnerability affected all versions of GitHub Enterprise Server pr
nvd
CVE-2023-23761P4MEDIUMCVSS 5.3fixed in 3.4.18≥ 3.5.0, < 3.5.15+8 more2023-04-07
CVE-2023-23761 [MEDIUM] CWE-287 CVE-2023-23761: An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed an
An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed an unauthorized actor to modify other users' secret gists by authenticating through an SSH certificate authority. To do so, a user had to know the secret gist's URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.9 and was
nvd
CVE-2026-8106P4MEDIUMCVSS 6.1≥ 3.19.1, < 3.19.6≥ 3.20.0, < 3.20.2+2 more2026-05-07
CVE-2026-8106 [MEDIUM] CWE-79 CVE-2026-8106: A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management C
A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter on the /setup/unlock endpoint was reflected into an HTML attribute without proper sanitization, enabling an attacker to inject a form element that could capture administ
nvd
CVE-2023-46646P4MEDIUMCVSS 5.3≥ 3.7.0, < 3.7.19≥ 3.8.0, < 3.8.12+6 more2023-12-21
CVE-2023-46646 [MEDIUM] CWE-639 CVE-2023-46646: Improper access control in all versions of GitHub Enterprise Server allows unauthorized users to vie
Improper access control in all versions of GitHub Enterprise Server allows unauthorized users to view private repository names via the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected GitHub Enterprise Server version 3.7.0 and above and was fi
nvd
CVE-2024-6336P4MEDIUMCVSS 5.3≥ 3.9.0, < 3.9.17≥ 3.10.0, < 3.10.14+3 more2024-07-16
CVE-2024-6336 [MEDIUM] CWE-200 CVE-2024-6336: A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information
A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information disclosure to unauthorized users in GitHub Enterprise Server by exploiting organization ruleset feature. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. This vulnerability
nvd
CVE-2023-46645P4MEDIUMCVSS 4.9≥ 3.7.0, < 3.7.19≥ 3.8.0, < 3.8.12+4 more2023-12-21
CVE-2023-46645 [MEDIUM] CWE-22 CVE-2023-46645: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary fil
A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterpris
nvd
CVE-2023-6804P4MEDIUMCVSS 5.5≥ 3.8.0, < 3.8.12≥ 3.9.0, < 3.9.7+6 more2023-12-21
CVE-2023-6804 [MEDIUM] CWE-269 CVE-2023-6804: Improper privilege management allowed arbitrary workflows to be committed and run using an improperl
Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped PAT. To exploit this, a workflow must have already existed in the target repo. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1.
nvd
CVE-2024-6395P4MEDIUMCVSS 5.3≥ 3.9.0, < 3.9.17≥ 3.10.0, < 3.10.14+3 more2024-07-16
CVE-2024-6395 [MEDIUM] CWE-200 CVE-2024-6395: An exposure of sensitive information vulnerability in GitHub Enterprise Server would allow an attack
An exposure of sensitive information vulnerability in GitHub Enterprise Server would allow an attacker to enumerate the names of private repositories that utilize deploy keys. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.
nvd
CVE-2025-13744P4MEDIUMCVSS 5.4≥ 3.14.0, < 3.14.20≥ 3.15.0, < 3.15.15+10 more2026-01-06
CVE-2025-13744 [MEDIUM] CWE-79 CVE-2025-13744: An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHu
An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of miles
nvd
CVE-2024-1084P4MEDIUMCVSS 6.1fixed in 3.8.15≥ 3.9.0, < 3.9.10+6 more2024-02-13
CVE-2024-1084 [MEDIUM] CWE-79 CVE-2024-1084: Cross-site Scripting in the tag name pattern field in the tag protections UI in GitHub Enterprise Se
Cross-site Scripting in the tag name pattern field in the tag protections UI in GitHub Enterprise Server allows a malicious website that requires user interaction and social engineering to make changes to a user account via CSP bypass with created CSRF tokens. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fi
nvd
CVE-2022-23733P4MEDIUMCVSS 5.4≥ 3.3.0, < 3.3.11≥ 3.4.0, < 3.4.6+1 more2022-08-02
CVE-2022-23733 [MEDIUM] CWE-79 CVE-2022-23733: A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of
A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of arbitrary attributes. This injection was blocked by Github's Content Security Policy (CSP). This vulnerability affected all versions of GitHub Enterprise Server prior to 3.6 and was fixed in versions 3.3.11, 3.4.6 and 3.5.3. This vulnerability was repor
nvd
CVE-2023-23763P4MEDIUMCVSS 5.3≥ 3.6.0, < 3.6.18≥ 3.7.0, < 3.7.16+2 more2023-09-01
CVE-2023-23763 [MEDIUM] CWE-200 CVE-2023-23763: An authorization/sensitive information disclosure vulnerability was identified in GitHub Enterprise
An authorization/sensitive information disclosure vulnerability was identified in GitHub Enterprise Server that allowed a fork to retain read access to an upstream repository after its visibility was changed to private. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.10.0 and was fixed in versions 3.9.4, 3.8.9, 3.7.16
nvd
CVE-2024-8770P4MEDIUMCVSS 6.1≥ 3.10.0, < 3.10.17≥ 3.11.0, < 3.11.15+3 more2024-09-23
CVE-2024-8770 [MEDIUM] CWE-79 CVE-2024-8770: A Cross-Site Scripting (XSS) vulnerability was identified in the repository transfer feature of GitH
A Cross-Site Scripting (XSS) vulnerability was identified in the repository transfer feature of GitHub Enterprise Server, which allows attackers to steal sensitive user information via social engineering. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in version 3.10.17, 3.11.15, 3.12.9, 3.13.4, and 3.14.1. This vuln
nvd
CVE-2026-2266P4MEDIUMCVSS 5.4fixed in 3.18.6≥ 3.19.0, < 3.19.3+2 more2026-03-10
CVE-2026-2266 [MEDIUM] CWE-79 CVE-2026-2266: An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that al
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed DOM-based cross-site scripting via task list content. The task list content extraction logic did not properly re-encode browser-decoded text nodes before rendering, allowing user-supplied HTML to be injected into the page. An authenticated attacker
nvd
CVE-2023-51379P4MEDIUMCVSS 4.9≥ 3.7.0, < 3.7.19≥ 3.8.0, < 3.8.12+8 more2023-12-21
CVE-2023-51379 [MEDIUM] CWE-863 CVE-2023-51379: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed iss
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required contents:write and issues:read permissions. This vulnerability affected all versions of GitHu
nvd
CVE-2026-3306P4MEDIUMCVSS 4.3fixed in 3.14.24≥ 3.15.0, < 3.15.19+10 more2026-03-10
CVE-2026-3306 [MEDIUM] CWE-639 CVE-2026-3306: An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed a us
An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value updates were applied without verifying the actor's repos
nvd
CVE-2024-7711P4MEDIUMCVSS 4.3≥ 3.11.0, < 3.11.14≥ 3.12.0, < 3.12.8+1 more2024-08-20
CVE-2024-7711 [MEDIUM] CWE-863 CVE-2024-7711: An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an att
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an attacker to update the title, assignees, and labels of any issue inside a public repository. This was only exploitable inside a public repository. This vulnerability affected GitHub Enterprise Server versions before 3.14 and was fixed in versions 3.13.3, 3
nvd
CVE-2026-5512P4MEDIUMCVSS 4.3fixed in 3.14.26≥ 3.15.0, < 3.15.21+12 more2026-04-21
CVE-2026-5512 [MEDIUM] CWE-201 CVE-2026-5512: An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an a
An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric ID. The mobile upload policy API endpoint did not perform an early authorization check, and validation error messages included the full repository name for repositorie
nvd
CVE-2026-3582P4MEDIUMCVSS 4.3fixed in 3.16.15≥ 3.17.0, < 3.17.12+6 more2026-03-10
CVE-2026-3582 [MEDIUM] CWE-862 CVE-2026-3582: An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token (PAT) lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user must have had existing access to the repository through
nvd