PT-2026-43434 · Github · Github Enterprise Server
Ahacker1
·
Published
2026-05-27
·
Updated
2026-05-27
·
CVE-2026-9312
CVSS v4.0
9.2
Critical
| Vector | AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
GitHub Enterprise Server versions prior to 3.22
Description
A server-side request forgery (SSRF) issue exists where an unauthenticated attacker can send crafted requests to internal services due to insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker can bypass the intended request flow and redirect internal API calls, which may lead to the access of internal services and exposure of sensitive credentials. SSRF is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location.
Recommendations
Update to version 3.16.20
Update to version 3.17.17
Update to version 3.18.11
Update to version 3.19.8
Update to version 3.20.4
Update to version 3.21.1
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github Enterprise Server