CVE-2025-14046

11.12.2025, 18:16

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21.

Cross-site Scripting

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
GitHub_P	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.21

https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.16

https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.12

https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.9

https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.3