PT-2026-38595 · Github · Github Enterprise Server

Maksyche

Published

2026-05-07

Updated

2026-05-10

CVE-2026-8106

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions 3.19.1 through 3.19.5 GitHub Enterprise Server versions 3.20.0 through 3.20.1

Description A reflected HTML injection issue exists in the Management Console login page. The redirect to query parameter on the '/setup/unlock' endpoint is reflected into an HTML attribute without proper sanitization. This allows an attacker to inject a form element to capture administrator credentials if an administrator clicks a crafted link and enters their credentials.

Recommendations Update versions 3.19.1 through 3.19.5 to version 3.19.6. Update versions 3.20.0 through 3.20.1 to version 3.20.2.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-8106

Affected Products

Github Enterprise Server

PT-2026-38595 · Github · Github Enterprise Server

CVE-2026-8106

Weakness Enumeration

Related Identifiers

Affected Products

References · 5