CVE-2026-2266
Received Received - Intake

DOM-Based XSS in GitHub Enterprise Server Task List Content

Vulnerability report for CVE-2026-2266, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-10

Last updated on: 2026-03-12

Assigner: GitHub, Inc. (Products Only)

Description

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed DOM-based cross-site scripting via task list content. The task list content extraction logic did not properly re-encode browser-decoded text nodes before rendering, allowing user-supplied HTML to be injected into the page. An authenticated attacker could craft malicious task list items in issues or pull requests to execute arbitrary scripts in the context of another user's browser session. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-10
Last Modified
2026-03-12
Generated
2026-07-06
AI Q&A
2026-03-10
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
github enterprise_server From 3.19.0 (inc) to 3.19.3 (exc)
github enterprise_server to 3.18.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an improper neutralization of input in GitHub Enterprise Server that allows DOM-based cross-site scripting (XSS) via task list content.

The issue occurs because the task list content extraction logic does not properly re-encode browser-decoded text nodes before rendering, which enables user-supplied HTML to be injected into the page.

An authenticated attacker can create malicious task list items in issues or pull requests that execute arbitrary scripts in the context of another user's browser session.

This affects all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.18.6 and 3.19.3.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary scripts in the browser session of another user.

Such script execution can lead to unauthorized actions performed on behalf of the victim user, theft of sensitive information such as session tokens, or other malicious activities within the context of the affected GitHub Enterprise Server instance.

Because the attacker must be authenticated to exploit this vulnerability, the risk is limited to users with access, but the impact on those users can be significant.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade GitHub Enterprise Server to version 3.18.6, 3.19.3, or later, as these versions contain the fix for the DOM-based cross-site scripting issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2266. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart