CVE-2026-2266 HIGH

CVE-2026-2266: Improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting via task list content and enabled arbitrary HTML injection

Vendor Github
Product Enterprise Server
Weakness CWE-79 · XSS
Published March 10, 2026
Last update March 11, 2026
View on NVD All CVEs

CVSS base score

7.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed DOM-based cross-site scripting via task list content. The task list content extraction logic did not properly re-encode browser-decoded text nodes before rendering, allowing user-supplied HTML to be injected into the page. An authenticated attacker could craft malicious task list items in issues or pull requests to execute arbitrary scripts in the context of another user's browser session. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.18.6 and 3.19.3. This vulnerability was reported via the GitHub Bug Bounty program.

Key dates

02Disclosure timeline

March 10, 2026 CVE published
March 11, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-8750 Cross-site Scripting vulnerability in Idoit pro CVE-2025-28934 WordPress Simple Post Series plugin <= 2.4.4 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-3889 Royal Elementor Addons and Templates <= 1.3.971 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Accordion Title Tags CVE-2025-24412 Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2025-31412 WordPress JetProductGallery plugin <= 2.1.22 - Cross Site Scripting (XSS) vulnerability