CVE-2026-15007
Received
Received - Intake
Denial of Service in GitHub Enterprise Server via Nested YAML
Vulnerability report for CVE-2026-15007, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-17
Last updated on: 2026-07-17
Assigner: GitHub, Inc. (Products Only)
Description
Description
A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to cause service disruption by supplying a repository release notes configuration file containing deeply nested YAML. When release notes were generated, the configuration file was parsed without a nesting depth limit, causing excessive resource consumption that could render the instance unresponsive. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.17.18, 3.18.12, 3.19.9, 3.20.5, and 3.21.3. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| github | enterprise_server | to 3.22 (exc) |
| github | enterprise_server | 3.17.18 |
| github | enterprise_server | 3.18.12 |
| github | enterprise_server | 3.19.9 |
| github | enterprise_server | 3.20.5 |
| github | enterprise_server | 3.21.3 |
| github | enterprise_server | 3.19.1 |
| github | enterprise_server | 3.20.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |