Skip to main content

GitHub Enterprise Server CVE-2026-15007

| EUVDEUVD-2026-45188 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-17 GitHub_P
5.7
CVSS 4.0 · Vendor: GitHub_P
Share

Severity by source

Vendor (GitHub_P) PRIMARY
5.7 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.7 HIGH

Network-reachable, low complexity, requires authenticated low-privilege user; scope change (S:C) because instance-wide availability impact extends beyond the release notes component.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Primary rating from Vendor (GitHub_P).

CVSS VectorVendor: GitHub_P

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 17, 2026 - 16:16 vuln.today

DescriptionCVE.org

A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to cause service disruption by supplying a repository release notes configuration file containing deeply nested YAML. When release notes were generated, the configuration file was parsed without a nesting depth limit, causing excessive resource consumption that could render the instance unresponsive. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3. This vulnerability was reported via the GitHub Bug Bounty program.

AnalysisAI

GitHub Enterprise Server (all versions prior to 3.22) is vulnerable to authenticated denial of service via unbounded YAML parsing depth in release notes configuration files. An authenticated user with repository access can craft a release notes configuration file containing arbitrarily deeply nested YAML structures; when release note generation is triggered, the YAML parser processes the nesting without any depth limit, causing excessive CPU and memory consumption that can render the entire GHES instance unresponsive. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to GHES instance
Delivery
Push deeply nested YAML to release notes config
Exploit
Trigger release notes generation for a repository tag
Execution
YAML parser recurses without depth limit
Persist
Instance processes exhaust CPU and memory
Impact
GHES instance becomes unresponsive for all users

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session on the GHES instance with at minimum write access to a repository (sufficient to push a crafted release notes configuration file). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H) scores 5.7, which understates operational impact in enterprise deployments: a single authenticated user can fully crash a shared GHES instance, disrupting all development teams relying on it. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated developer or contractor with push access to any repository on a GHES instance creates a release notes configuration file (e.g., .github/release.yml) containing thousands of levels of nested YAML mappings. When the attacker or any automated process triggers release note generation for a tag or release, the GHES backend parses the file without depth limiting, causing the parser to exhaust available memory or stack space. …
Remediation The primary remediation is to upgrade to a patched release: 3.17.18, 3.18.12, 3.19.9, 3.20.5, or 3.21.3, depending on the currently deployed release train. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

CVE-2024-0200 CRITICAL POC
9.8 Jan 16

An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. R

CVE-2024-9487 CRITICAL POC
9.5 Oct 10

An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowe

CVE-2024-4985 CRITICAL
10.0 May 20

An authentication bypass vulnerability was present in the GitHub Enterprise Server (GHES) when utilizing SAML single sig

CVE-2017-7420 CRITICAL
9.8 Aug 21

An Authentication Bypass (CWE-287) vulnerability in ESMAC (aka Enterprise Server Monitor and Control) in Micro Focus Ent

CVE-2023-4501 CRITICAL
9.8 Sep 12

User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL, COBOL

CVE-2022-46255 CRITICAL
9.8 Dec 14

An improper limitation of a pathname to a restricted directory vulnerability was identified in GitHub Enterprise Server

CVE-2021-22869 CRITICAL
9.8 Sep 24

An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted

CVE-2024-6800 CRITICAL
9.5 Aug 20

An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when using SAML authentication wi

CVE-2026-9312 CRITICAL
9.2 May 27

Server-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issui

CVE-2024-1378 CRITICAL
9.1 Feb 13

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor rol

CVE-2024-1374 CRITICAL
9.1 Feb 13

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor rol

Share

CVE-2026-15007 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy