CVE-2025-14046

EUVD-2025-202752
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
GitHub_PCNA
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 8%
Affected Products (NVD)
VendorProductVersion
githubenterprise_server
𝑥
< 3.14.21
githubenterprise_server
3.15.0 ≤
𝑥
< 3.15.16
githubenterprise_server
3.16.0 ≤
𝑥
< 3.16.12
githubenterprise_server
3.17.0 ≤
𝑥
< 3.17.9
githubenterprise_server
3.18.0 ≤
𝑥
< 3.18.3
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
githubgithub
3.18.0 ≤
𝑥
≤ 3.18.2
CNA
githubgithub
3.17.0 ≤
𝑥
≤ 3.17.8
CNA
githubgithub
3.16.0 ≤
𝑥
≤ 3.16.11
CNA
githubgithub
3.15.0 ≤
𝑥
≤ 3.15.15
CNA
githubgithub
3.14.0 ≤
𝑥
≤ 3.14.20
CNA
Common Weakness Enumeration
References
https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.21
https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.16
https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.12
https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.9
https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.3