CVE-2026-7541

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.21

Description An unauthenticated attacker can cause service disruption by sending crafted requests containing deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parses user-controlled JSON request bodies without size or depth limits, leading to excessive CPU and memory consumption, which results in a denial of service (a condition where a system becomes unavailable to its intended users).

Recommendations Update to version 3.20.2, 3.19.6, 3.18.9, 3.17.15, or 3.16.18.