CVE-2026-2266

Improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting via task list content and enabled arbitrary HTML injection

Assigner: GitHub_P
Reserved: 09.02.2026 Published: 10.03.2026 Updated: 11.03.2026

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed DOM-based cross-site scripting via task list content. The task list content extraction logic did not properly re-encode browser-decoded text nodes before rendering, allowing user-supplied HTML to be injected into the page. An authenticated attacker could craft malicious task list items in issues or pull requests to execute arbitrary scripts in the context of another user's browser session. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 7.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	Low
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	GitHub
Product	Enterprise Server
Versions	Default: unaffected affected from 3.18.0 to 3.18.5 (incl.) affected from 3.19.0 to 3.19.2 (incl.)

Vendor

GitHub

Product

Enterprise Server

Versions

Default: unaffected

affected from 3.18.0 to 3.18.5 (incl.)
affected from 3.19.0 to 3.19.2 (incl.)

Credits

André Storfjord Kristiansen finder

References

Problem Types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting') CWE

Impacts

CAPEC-63 Cross-Site Scripting (XSS)