CVE-2026-2266

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.20 GitHub Enterprise Server versions 3.18.6 and 3.19.3

Description An improper neutralization of input issue exists in GitHub Enterprise Server, allowing DOM-based cross-site scripting via task list content. The task list content extraction logic did not properly re-encode browser-decoded text nodes before rendering, enabling user-supplied HTML to be injected into the page. An authenticated attacker could create malicious task list items in issues or pull requests to execute arbitrary scripts in the context of another user’s browser session. The vulnerability involves the improper handling of input during task list content extraction. The vulnerable component allows the injection of HTML through crafted task list items.

Recommendations Update to GitHub Enterprise Server version 3.18.6. Update to GitHub Enterprise Server version 3.19.3. Update to GitHub Enterprise Server version 3.20 or later.