CVE-2026-2266
DOM-Based XSS in GitHub Enterprise Server Task List Content
Publication date: 2026-03-10
Last updated on: 2026-03-12
Assigner: GitHub, Inc. (Products Only)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| github | enterprise_server | From 3.19.0 (inc) to 3.19.3 (exc) |
| github | enterprise_server | to 3.18.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an improper neutralization of input in GitHub Enterprise Server that allows DOM-based cross-site scripting (XSS) via task list content.
The issue occurs because the task list content extraction logic does not properly re-encode browser-decoded text nodes before rendering, which enables user-supplied HTML to be injected into the page.
An authenticated attacker can create malicious task list items in issues or pull requests that execute arbitrary scripts in the context of another user's browser session.
This affects all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.18.6 and 3.19.3.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary scripts in the browser session of another user.
Such script execution can lead to unauthorized actions performed on behalf of the victim user, theft of sensitive information such as session tokens, or other malicious activities within the context of the affected GitHub Enterprise Server instance.
Because the attacker must be authenticated to exploit this vulnerability, the risk is limited to users with access, but the impact on those users can be significant.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade GitHub Enterprise Server to version 3.18.6, 3.19.3, or later, as these versions contain the fix for the DOM-based cross-site scripting issue.