XSS in Github Enterprise Server

CVE-2026-2266

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed DOM-based cross-site scripting via task list content. The task list content extraction logic did not properly re-encode browser-decod…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (10.6th percentile) — read the EPSS interpretation.

Affected products

Github Enterprise Server — versions 3.18.0, 3.19.0

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

docs.github.com/en/enterprise-server@3.18/admin/release-notes (release-notes)
docs.github.com/en/enterprise-server@3.19/admin/release-notes (release-notes)