CVE-2025-11892 HIGH

CVE-2025-11892: DOM-based Cross-Site Scripting was identified in GitHub Enterprise Server Issues search allows privilege escalation and unauthorized workflow triggers

Vendor Github
Product Enterprise Server
Weakness CWE-79 · XSS
Published November 10, 2025
Last update November 12, 2025
View on NVD All CVEs

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead to privilege escalation and unauthorized workflow triggers. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a user, while operating in sudo mode, to click on a crafted malicious link to perform actions that require elevated privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.1, 3.17.7, 3.16.10, 3.15.14, 3.14.19.

Key dates

02Disclosure timeline

November 10, 2025 CVE published
November 12, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-9371 Branda – White Label & Branding, Custom Login Page Customizer <= 3.4.19 - Reflected Cross-Site Scripting CVE-2021-32764 YouTube Onebox susceptible to XSS CVE-2021-36889 WordPress tarteaucitron.js – Cookies legislation & GDPR plugin <= 1.6 - Multiple Stored Authenticated Cross-Site Scripting (XSS) vulnerabilities CVE-2024-23818 GeoServer Stored Cross-Site Scripting (XSS) vulnerability in WMS OpenLayers Format CVE-2025-10023 A user with elevated privileges can inject XSS in the Services Meta-services configuration page