Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

github — Vulnerabilities & Security Advisories 142

Browse all 142 CVE security advisories affecting github. AI-powered Chinese analysis, POCs, and references for each vulnerability.

GitHub operates as a cloud-based platform for version control and collaborative software development, primarily hosting Git repositories for millions of developers worldwide. Its extensive attack surface has historically exposed it to critical vulnerability classes, including remote code execution, cross-site scripting, and privilege escalation, often stemming from complex integrations and third-party dependencies. With 131 recorded CVEs, the platform has faced significant security challenges, most notably the 2021 incident where attackers compromised two-factor authentication tokens to access internal systems, leading to the theft of source code from major clients. These breaches underscore the risks associated with centralized code hosting and the potential for supply chain attacks. While GitHub employs rigorous security measures, its scale and role as infrastructure for global software development make it a high-value target, necessitating continuous vigilance against both external exploits and insider threats to maintain the integrity of the open-source ecosystem.

CVE IDTitleCVSSSeverityPublished
CVE-2026-14340 An incorrect authorization vulnerability in GitHub Enterprise Server allows issue creation in unrelated public repositories — Enterprise ServerCWE-863--2026-07-01
CVE-2026-10585 Stored cross-site scripting vulnerability in GitHub Enterprise Server allowed arbitrary JavaScript execution via crafted Discussion titles in the Q&A category — Enterprise ServerCWE-79--2026-06-30
CVE-2026-9132 Missing authorization vulnerability in GitHub Enterprise Server allowed disclosure of private repository contents via the Copilot pull request diff summary endpoint — Enterprise ServerCWE-862--2026-06-30
CVE-2026-9106 UI misrepresentation vulnerability in GitHub Enterprise Server allowed unauthorized organization runner management via undisclosed OAuth scope on consent screen — Enterprise ServerCWE-451--2026-06-30
CVE-2026-48529 GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion — github-mcp-serverCWE-284 6.0 Medium2026-06-26
CVE-2026-9312 Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint — Enterprise ServerCWE-918--2026-05-27
CVE-2026-8606 Server-Side Request Forgery in GitHub Enterprise Server via Advisory Package URL Endpoint — Enterprise ServerCWE-918--2026-05-26
CVE-2026-45033 GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor — copilot-cliCWE-696--2026-05-13
CVE-2026-8106 Reflected HTML injection vulnerability in GitHub Enterprise Server Management Console login page allowed credential theft — Enterprise ServerCWE-79 6.1AIMediumAI2026-05-07
CVE-2026-8034 Server-side request forgery vulnerability in GitHub Enterprise Server notebook viewer via URL parser confusion — Enterprise ServerCWE-918 8.2AIHighAI2026-05-07
CVE-2026-7541 Denial of service vulnerability in GitHub Enterprise Server allowed service disruption via unauthenticated API endpoint — Enterprise ServerCWE-770 7.5AIHighAI2026-05-07
CVE-2026-6736 Authentication bypass vulnerability in GitHub Enterprise Server allowed creation of local user accounts bypassing the configured external identity provider — Enterprise ServerCWE-306 6.5AIMediumAI2026-05-07
CVE-2026-5845 Improper authorization fallback allows scoped user-to-server token installation escape in GitHub Enterprise Server — Enterprise ServerCWE-639 8.1AIHighAI2026-04-21
CVE-2026-3307 Authorization bypass in GitHub Enterprise Server secret scanning push protection allows cross-repository modification of delegated bypass reviewers — Enterprise ServerCWE-639 2.7AILowAI2026-04-21
CVE-2026-5512 Improper authorization vulnerability in GitHub Enterprise Server allowed disclosure of private repository names via mobile upload policy API — Enterprise ServerCWE-201 4.3AIMediumAI2026-04-21
CVE-2026-4296 Incorrect Regular Expression vulnerability in GitHub Enterprise Server allowed unauthorized access to user accounts via OAuth callback URL validation bypass — Enterprise ServerCWE-185 8.2AIHighAI2026-04-21
CVE-2026-5921 Server-Side Request Forgery in GitHub Enterprise Server allowed extraction of sensitive environment variables via timing side-channel attack — Enterprise ServerCWE-918 7.5AIHighAI2026-04-21
CVE-2026-3582 Incorrect Authorization in GitHub Enterprise Server allows access to issue and commit search results without repo scope — Enterprise ServerCWE-862 6.5AIMediumAI2026-03-10
CVE-2026-2266 Improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting via task list content and enabled arbitrary HTML injection — Enterprise ServerCWE-79 5.4AIMediumAI2026-03-10
CVE-2026-3306 Improper authorization in GitHub Projects allows modification of issue and pull request metadata without repository write access — Enterprise ServerCWE-639 4.3AIMediumAI2026-03-10
CVE-2026-3854 Remote code execution via git push option injection in GitHub Enterprise Server — Enterprise ServerCWE-77 8.8AIHighAI2026-03-10
CVE-2026-29783 GitHub Copilot CLI allows for dangerous shell expansion patterns that enable arbitrary command execution — copilot-cliCWE-78 8.0 -2026-03-06
CVE-2018-25188 Webiness Inventory 2.3 SQL Injection via WsModelGrid.php — Webiness InventoryCWE-89 8.2 High2026-03-06
CVE-2026-1999 Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized merging of pull requests — Enterprise ServerCWE-863 7.5 -2026-02-18
CVE-2026-1355 Missing Authorization Check in GitHub Enterprise Server Allows Unauthorized Uploads to Repository Migration Exports — Enterprise ServerCWE-862 7.3 -2026-02-18
CVE-2026-0573 Improper Handling of HTTP Redirects vulnerability was identified in GitHub Enterprise Server that allowed leaking of authorization token and enabled remote code execution — Enterprise ServerCWE-601 7.3 -2026-02-18
CVE-2025-13744 Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed rendering of malicious HTML — Enterprise ServerCWE-79 5.4 -2026-01-06
CVE-2025-14046 Insufficient HTML Sanitization Allows User-Controlled DOM Elements to Overwrite Server-Initialized Data Islands and Trigger Unintended Server-Side POST Requests — Enterprise ServerCWE-79 4.6AIMediumAI2025-12-11
CVE-2025-11578 Pre-Receive Hook Path Collision Vulnerability in GitHub Enterprise Server Allowing Privilege Escalation — Enterprise ServerCWE-59 7.2 -2025-11-10
CVE-2025-11892 DOM-based Cross-Site Scripting was identified in GitHub Enterprise Server Issues search allows privilege escalation and unauthorized workflow triggers — Enterprise ServerCWE-79 6.1 -2025-11-10

This page lists every published CVE security advisory associated with github. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.