PT-2026-34210 · Github · Github Enterprise Server

Seokchan Yoon

Published

2026-04-21

Updated

2026-04-26

CVE-2026-4821

CVSS v4.0

8.1

High

Vector

AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.21

Description An improper neutralization of special elements allows an authenticated Management Console administrator to execute arbitrary OS commands. This occurs via shell metacharacter injection in proxy configuration fields, such as http proxy. Exploitation requires access to the instance and administrator privileges to the Management Console.

Recommendations Update to versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, or 3.14.26.

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2026-4821

Affected Products

Github Enterprise Server

PT-2026-34210 · Github · Github Enterprise Server

CVE-2026-4821

Weakness Enumeration

Related Identifiers

Affected Products

References · 10