PT-2026-43434 · Github · Github Enterprise Server

Ahacker1

·

Published

2026-05-26

·

Updated

2026-06-30

·

CVE-2026-9312

CVSS v4.0

9.2

Critical

VectorAV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.22
Description A server-side request forgery (SSRF) issue exists where an unauthenticated attacker can send crafted requests to internal services due to insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker can bypass the intended request flow and redirect internal API calls, which may lead to the access of internal services and exposure of sensitive credentials. SSRF is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location.
Recommendations Update to version 3.16.20 Update to version 3.17.17 Update to version 3.18.11 Update to version 3.19.8 Update to version 3.20.4 Update to version 3.21.1

Fix

LPE

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-07906
CVE-2026-9312

Affected Products

Github Enterprise Server