Github Enterprise Server — known CVE vulnerabilities
Every CVE whose affected-product data names Github Enterprise Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (116)
CVE-2026-8034 — CVSS 9.8 (critical): A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker…
CVE-2022-46255 — CVSS 9.8 (critical): An improper limitation of a pathname to a restricted directory vulnerability was identified in GitHub Enterprise Server that enabled remote…
CVE-2024-6800 — CVSS 9.8 (critical): An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when using SAML authentication with specific…
CVE-2024-4985 — CVSS 9.8 (critical): An authentication bypass vulnerability was present in the GitHub Enterprise Server (GHES) when utilizing SAML single sign-on authentication…
CVE-2021-22869 — CVSS 9.8 (critical): An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it…
CVE-2022-23739 — CVSS 9.8 (critical): An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API…
CVE-2025-11892 — CVSS 9.6 (critical): An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via…
CVE-2026-5845 — CVSS 9.6 (critical): An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an…
CVE-2024-1369 — CVSS 9.1 (critical): A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management…
CVE-2024-1359 — CVSS 9.1 (critical): A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management…
CVE-2024-1355 — CVSS 9.1 (critical): A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management…
CVE-2024-1374 — CVSS 9.1 (critical): A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management…
CVE-2024-9487 — CVSS 9.1 (critical): An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed SAML SSO…
CVE-2024-1372 — CVSS 9.1 (critical): A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management…
CVE-2024-1378 — CVSS 9.1 (critical): A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management…
CVE-2024-10007 — CVSS 9.1 (critical): A path collision and arbitrary code execution vulnerability was identified in GitHub Enterprise Server that allowed container escape to…
CVE-2024-2443 — CVSS 9.1 (critical): A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management…
CVE-2026-0573 — CVSS 9.0 (critical): An URL redirection vulnerability was identified in GitHub Enterprise Server that allowed attacker-controlled redirects to leak sensitive…
CVE-2026-5921 — CVSS 8.9 (high): A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive…
CVE-2022-23740 — CVSS 8.8 (high): CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that…
CVE-2021-22864 — CVSS 8.8 (high): A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site…
CVE-2021-22866 — CVSS 8.8 (high): A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub…
CVE-2021-41598 — CVSS 8.8 (high): A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub…
CVE-2021-41599 — CVSS 8.8 (high): A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site…
CVE-2022-23732 — CVSS 8.8 (high): A path traversal vulnerability was identified in GitHub Enterprise Server management console that allowed the bypass of CSRF protections…
CVE-2026-4296 — CVSS 8.8 (high): An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect…
CVE-2022-23734 — CVSS 8.8 (high): A deserialization of untrusted data vulnerability was identified in GitHub Enterprise Server that could potentially lead to remote code…
CVE-2026-3854 — CVSS 8.8 (high): An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push…
CVE-2025-23369 — CVSS 8.8 (high): An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed signature…
CVE-2022-46256 — CVSS 8.8 (high): A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages…
CVE-2023-46648 — CVSS 8.3 (high): An insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user…
CVE-2026-9312 — CVSS 8.2 (high): A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to…
CVE-2023-6746 — CVSS 8.1 (high): An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server back-end…
CVE-2023-46647 — CVSS 8.0 (high): Improper privilege management in all versions of GitHub Enterprise Server allows users with authorized access to the management console…
CVE-2024-2469 — CVSS 8.0 (high): An attacker with an Administrator role in GitHub Enterprise Server could gain SSH root access via remote code execution. This vulnerability…
CVE-2024-3684 — CVSS 8.0 (high): A server side request forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the…
CVE-2024-3646 — CVSS 8.0 (high): A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management…
CVE-2024-1354 — CVSS 8.0 (high): A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management…
CVE-2024-5795 — CVSS 7.7 (high): A Denial of Service vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause unbounded resource…
CVE-2023-23761 — CVSS 7.7 (high): An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed an unauthorized actor to modify other…
CVE-2024-5746 — CVSS 7.6 (high): A Server-Side Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker with the Site Administrator…
CVE-2025-3246 — CVSS 7.6 (high): An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting in GitHub…
CVE-2023-6847 — CVSS 7.5 (high): An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of Private Mode by using a…
CVE-2026-7541 — CVSS 7.5 (high): A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service…
CVE-2024-0200 — CVSS 7.2 (high): An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability…
CVE-2025-11578 — CVSS 7.2 (high): A privilege escalation vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Enterprise admin to gain root…
CVE-2022-23741 — CVSS 7.2 (high): An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate…
CVE-2025-3509 — CVSS 7.2 (high): A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute arbitrary code by…
CVE-2023-6802 — CVSS 7.2 (high): An insertion of sensitive information into the log file in the audit log in GitHub Enterprise Server was identified that could allow an…
CVE-2024-10001 — CVSS 7.1 (high): A Code Injection vulnerability was identified in GitHub Enterprise Server that allowed attackers to inject malicious code into the query…
CVE-2024-1482 — CVSS 7.1 (high): An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to create new branches in…
CVE-2023-46645 — CVSS 6.8 (medium): A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages…
CVE-2024-6337 — CVSS 6.5 (medium): An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a GitHub App with only content: read and…
CVE-2023-6804 — CVSS 6.5 (medium): Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped PAT. To exploit this, a…
CVE-2024-0507 — CVSS 6.5 (medium): An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection…
CVE-2024-10824 — CVSS 6.5 (medium): An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed unauthorized internal users to access…
CVE-2024-1084 — CVSS 6.5 (medium): Cross-site Scripting in the tag name pattern field in the tag protections UI in GitHub Enterprise Server allows a malicious website that…
CVE-2023-23762 — CVSS 6.5 (medium): An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect…
CVE-2024-5815 — CVSS 6.5 (medium): A Cross-Site Request Forgery vulnerability in GitHub Enterprise Server allowed write operations on a victim-owned repository by exploiting…
CVE-2024-5817 — CVSS 6.5 (medium): An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed read access to issue content via GitHub…
CVE-2023-22380 — CVSS 6.5 (medium): A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages…
CVE-2024-8810 — CVSS 6.5 (medium): A GitHub App installed in organizations could upgrade some permissions from read to write access without approval from an organization…
CVE-2022-46258 — CVSS 6.5 (medium): An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write…
CVE-2026-1355 — CVSS 6.5 (medium): A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to…
CVE-2026-1999 — CVSS 6.5 (medium): An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull…
CVE-2022-23737 — CVSS 6.5 (medium): An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to…
CVE-2021-22870 — CVSS 6.5 (medium): A path traversal vulnerability was identified in GitHub Pages builds on GitHub Enterprise Server that could allow an attacker to read…
CVE-2026-6736 — CVSS 6.5 (medium): An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a…
CVE-2021-22867 — CVSS 6.5 (medium): A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site…
CVE-2026-9132 — CVSS 6.5 (medium): A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code…
CVE-2021-22865 — CVSS 6.5 (medium): An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub…
CVE-2024-1082 — CVSS 6.3 (medium): A path traversal vulnerability was identified in GitHub Enterprise Server that allowed an attacker to gain unauthorized read permission to…
CVE-2024-1908 — CVSS 6.3 (medium): An Improper Privilege Management vulnerability was identified in GitHub Enterprise Server that allowed an attacker to use the Enterprise…
CVE-2023-46649 — CVSS 6.3 (medium): A race condition in GitHub Enterprise Server was identified that could allow an attacker administrator access. To exploit this, an…
CVE-2024-8770 — CVSS 6.1 (medium): A Cross-Site Scripting (XSS) vulnerability was identified in the repository transfer feature of GitHub Enterprise Server, which allows…
CVE-2025-14046 — CVSS 6.1 (medium): An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM…
CVE-2026-8106 — CVSS 6.1 (medium): A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow…
CVE-2024-3470 — CVSS 5.9 (medium): An Improper Privilege Management vulnerability was identified in GitHub Enterprise Server that allowed an attacker to use a deploy key…
CVE-2026-8606 — CVSS 5.9 (medium): A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server…
CVE-2023-6803 — CVSS 5.8 (medium): A race condition in GitHub Enterprise Server allows an outside collaborator to be added while a repository is being transferred. This…
CVE-2024-5566 — CVSS 5.8 (medium): An improper privilege management vulnerability allowed users to migrate private repositories without having appropriate scopes defined on…
CVE-2022-23738 — CVSS 5.7 (medium): An improper cache key vulnerability was identified in GitHub Enterprise Server that allowed an unauthorized actor to access private…
CVE-2026-9106 — CVSS 5.5 (medium): A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access…
CVE-2024-2440 — CVSS 5.5 (medium): A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on a detached repository by making a GraphQL…
CVE-2026-2266 — CVSS 5.4 (medium): An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed DOM-based cross-site scripting…
CVE-2022-23733 — CVSS 5.4 (medium): A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of arbitrary attributes. This injection…
CVE-2025-13744 — CVSS 5.4 (medium): An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed…
CVE-2026-10585 — CVSS 5.4 (medium): A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute…
CVE-2024-5816 — CVSS 5.3 (medium): An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a suspended GitHub App to retain access to…
CVE-2024-6395 — CVSS 5.3 (medium): An exposure of sensitive information vulnerability in GitHub Enterprise Server would allow an attacker to enumerate the names of private…
CVE-2024-6336 — CVSS 5.3 (medium): A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information disclosure to unauthorized users in…
CVE-2023-23763 — CVSS 5.3 (medium): An authorization/sensitive information disclosure vulnerability was identified in GitHub Enterprise Server that allowed a fork to retain…
CVE-2023-46646 — CVSS 5.3 (medium): Improper access control in all versions of GitHub Enterprise Server allows unauthorized users to view private repository names via the "Get…
CVE-2026-14340 — CVSS 5.0 (medium): An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a user-to-server token scoped to a GitHub…
CVE-2023-23760 — CVSS 4.9 (medium): A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages…
CVE-2023-51379 — CVSS 4.9 (medium): An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an…
CVE-2023-23765 — CVSS 4.8 (medium): An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect…
CVE-2023-23764 — CVSS 4.8 (medium): An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect…
CVE-2023-23766 — CVSS 4.5 (medium): An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect…
CVE-2025-3124 — CVSS 4.3 (medium): A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed a user to see the names of private…
CVE-2026-5512 — CVSS 4.3 (medium): An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the…
CVE-2024-7711 — CVSS 4.3 (medium): An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an attacker to update the title, assignees…
CVE-2021-22868 — CVSS 4.3 (medium): A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site…
CVE-2024-9539 — CVSS 4.3 (medium): An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to…
CVE-2022-46257 — CVSS 4.3 (medium): An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a…
CVE-2025-6600 — CVSS 4.3 (medium): An exposure of sensitive information vulnerability was identified in GitHub Enterprise Server that could allow an attacker to disclose the…
CVE-2025-6981 — CVSS 4.3 (medium): An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts…
CVE-2026-3306 — CVSS 4.3 (medium): An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed a user with read access to a repository and…
CVE-2026-3582 — CVSS 4.3 (medium): An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic…
CVE-2024-2748 — CVSS 4.3 (medium): A Cross Site Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker to execute unauthorized…
CVE-2023-22381 — CVSS 4.1 (medium): A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a…
CVE-2023-6690 — CVSS 3.9 (low): A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on transferred repositories by making a…
CVE-2025-8447 — CVSS 3.1 (low): An improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to…
CVE-2026-3307 — CVSS 2.7 (low): An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one…
CVE-2023-51380 — CVSS 2.7 (low): An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be read with an…
CVE-2024-8263 — CVSS 2.7 (low): An improper privilege management vulnerability allowed arbitrary workflows to be committed using an improperly scoped PAT through the use…