Github Enterprise Server vulnerabilities
113 known vulnerabilities affecting github/enterprise_server.
Total CVEs
113
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL18HIGH33MEDIUM58LOW4
Vulnerabilities
Page 6 of 6
CVE-2025-3124P4MEDIUMCVSS 4.3fixed in 3.13.14≥ 3.14.0, < 3.14.11+6 more2025-04-17
CVE-2025-3124 [MEDIUM] CWE-862 CVE-2025-3124: A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed a user
A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed a user to see the names of private repositories that they wouldn't otherwise have access to in the Security Overview in GitHub Advanced Security. The Security Overview was required to be filtered only using the `archived:` filter and all other access controls
nvd
CVE-2025-6981P4MEDIUMCVSS 4.3fixed in 3.14.5≥ 3.15.0, < 3.15.10+3 more2025-07-15
CVE-2025-6981 [MEDIUM] CWE-863 CVE-2025-6981: An incorrect authorization vulnerability allowed unauthorized read access to the contents of interna
An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in
nvd
CVE-2023-51380P4MEDIUMCVSS 4.3≥ 3.7.0, < 3.7.19≥ 3.8.0, < 3.8.12+8 more2023-12-21
CVE-2023-51380 [MEDIUM] CWE-863 CVE-2023-51380: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed iss
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be read with an improperly scoped token. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1.
nvd
CVE-2021-22868P4MEDIUMCVSS 4.3fixed in 2.22.22≥ 3.0.0, < 3.0.16+1 more2021-09-24
CVE-2021-22868 [MEDIUM] CVE-2021-22868: A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited wh
A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to read files on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need per
nvd
CVE-2024-9539P4MEDIUMCVSS 4.3fixed in 3.11.16≥ 3.12.0, < 3.12.10+2 more2024-10-11
CVE-2024-9539 [MEDIUM] CWE-200 CVE-2024-9539: An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uplo
An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page. This required the attacker to upload malicious SVG files and phish a victim user to click
nvd
CVE-2022-46257P4MEDIUMCVSS 4.3≥ 3.3.0, < 3.3.17≥ 3.4.0, < 3.4.12+2 more2023-03-07
CVE-2022-46257 [MEDIUM] CWE-200 CVE-2022-46257: An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed priv
An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploit this vulnerability, an attacker would need access to
nvd
CVE-2025-6600P4MEDIUMCVSS 4.3≥ 3.17.0, < 3.17.22025-07-01
CVE-2025-6600 [MEDIUM] CWE-200 CVE-2025-6600: An exposure of sensitive information vulnerability was identified in GitHub Enterprise Server that c
An exposure of sensitive information vulnerability was identified in GitHub Enterprise Server that could allow an attacker to disclose the names of private repositories within an organization. This issue could be exploited by leveraging a user-to-server token with no scopes via the Search API endpoint. Successful exploitation required an organization
nvd
CVE-2024-2748P4MEDIUMCVSS 4.3v3.12.0≥ 3.12, ≤ 3.12.02024-03-21
CVE-2024-2748 [MEDIUM] CWE-352 CVE-2024-2748: A Cross Site Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed a
A Cross Site Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker to execute unauthorized actions on behalf of an unsuspecting user. A mitigating factor is that user interaction is required. This vulnerability affected GitHub Enterprise Server 3.12.0 and was fixed in versions 3.12.1. This vulnerability was
nvd
CVE-2026-3307P4LOWCVSS 2.7fixed in 3.14.26≥ 3.15.0, < 3.15.21+12 more2026-04-21
CVE-2026-3307 [LOW] CWE-639 CVE-2026-3307: An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an att
An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body. Authorization was verified against the repository in th
nvd
CVE-2023-6803P4MEDIUMCVSS 4.0≥ 3.8.0, < 3.8.12≥ 3.9.0, < 3.9.7+6 more2023-12-21
CVE-2023-6803 [MEDIUM] CWE-367 CVE-2023-6803: A race condition in GitHub Enterprise Server allows an outside collaborator to be added while a repo
A race condition in GitHub Enterprise Server allows an outside collaborator to be added while a repository is being transferred. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1.
nvd
CVE-2025-8447P4LOWCVSS 3.1fixed in 3.14.17≥ 3.15.0, < 3.15.12+6 more2025-08-26
CVE-2025-8447 [LOW] CWE-639 CVE-2025-8447: An improper access control vulnerability was identified in GitHub Enterprise Server that allowed use
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories. To exploit this vulnerability, an attacker needed to know the name of a private repository along with its branches, tags,
nvd
CVE-2024-8263P4LOWCVSS 2.7≥ 3.10.0, < 3.10.17≥ 3.11.0, < 3.11.15+3 more2024-09-23
CVE-2024-8263 [LOW] CWE-269 CVE-2024-8263: An improper privilege management vulnerability allowed arbitrary workflows to be committed using an
An improper privilege management vulnerability allowed arbitrary workflows to be committed using an improperly scoped PAT through the use of nested tags. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in version 3.10.17, 3.11.15, 3.12.9, 3.13.4, and 3.14.1. This vulnerability was reported via the GitHub Bug Bounty progr
nvd
CVE-2023-6690P4LOWCVSS 2.0≥ 3.8.0, < 3.8.12≥ 3.9.0, < 3.9.7+6 more2023-12-21
CVE-2023-6690 [LOW] CWE-367 CVE-2023-6690: A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on tr
A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on transferred repositories by making a GraphQL mutation to alter repository permissions during the transfer. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1.
nvd
← Previous6 / 6