CVE-2025-14046

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.18.3 GitHub Enterprise Server versions prior to 3.17.9 GitHub Enterprise Server versions prior to 3.16.12 GitHub Enterprise Server versions prior to 3.15.16 GitHub Enterprise Server versions prior to 3.14.21

Description An improper neutralization of input issue exists in GitHub Enterprise Server. This allows user-supplied HTML to inject DOM elements with IDs that conflict with server-initialized data islands. These conflicts can overwrite or shadow critical application state objects used by certain Project views, potentially leading to unintended server-side POST requests or other unauthorized backend interactions. Exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to convince a privileged user to view crafted malicious content containing conflicting HTML elements.

Recommendations Update GitHub Enterprise Server to version 3.18.3 or later. Update GitHub Enterprise Server to version 3.17.9 or later. Update GitHub Enterprise Server to version 3.16.12 or later. Update GitHub Enterprise Server to version 3.15.16 or later. Update GitHub Enterprise Server to version 3.14.21 or later.