GitHub Enterprise Server up to 3.19.0 cross site scripting

Summaryinfo

A vulnerability has been found in GitHub Enterprise Server up to 3.19.0 and classified as problematic. Affected by this issue is some unknown functionality. This manipulation causes cross site scripting. The identification of this vulnerability is CVE-2025-13744. It is possible to initiate the attack remotely. There is no exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability classified as problematic was found in GitHub Enterprise Server up to 3.19.0. Affected by this vulnerability is an unknown part. The manipulation with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. As an impact it is known to affect integrity. The summary by CVE is:

An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of milestones, issues, pull requests, or similar entities that are rendered in the vulnerable filter/search components. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.1, and 3.18.2, 3.17.8, 3.16.11, 3.15.15, and 3.14.20. This vulnerability was reported via the GitHub Bug Bounty program.

The weakness was shared by Roshan Kudave and Johan Carlsson. The advisory is shared at docs.github.com. This vulnerability is known as CVE-2025-13744 since 11/26/2025. The exploitation appears to be easy. The attack can be launched remotely. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1059.007 for this issue.

Upgrading eliminates this vulnerability.

The vulnerability is also documented in the databases at EUVD (EUVD-2026-0959) and CERT Bund (WID-SEC-2026-0023). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Affected

• Microsoft GitHub Enterprise

Productinfo

Type

• Bug Tracking Software

Vendor

• GitHub

Name

• Enterprise Server

Version

• 3.0
• 3.1
• 3.2
• 3.3
• 3.4
• 3.5
• 3.6
• 3.7
• 3.8
• 3.9
• 3.10
• 3.11
• 3.12
• 3.13
• 3.14
• 3.14.0
• 3.14.1
• 3.14.2
• 3.14.3
• 3.14.4
• 3.14.5
• 3.14.6
• 3.14.7
• 3.14.8
• 3.14.9
• 3.14.10
• 3.14.11
• 3.14.12
• 3.14.13
• 3.14.14
• 3.14.15
• 3.14.16
• 3.14.17
• 3.14.18
• 3.14.19
• 3.15
• 3.15.0
• 3.15.1
• 3.15.2
• 3.15.3
• 3.15.4
• 3.15.5
• 3.15.6
• 3.15.7
• 3.15.8
• 3.15.9
• 3.15.10
• 3.15.11
• 3.15.12
• 3.15.13
• 3.15.14
• 3.16
• 3.16.0
• 3.16.1
• 3.16.2
• 3.16.3
• 3.16.4
• 3.16.5
• 3.16.6
• 3.16.7
• 3.16.8
• 3.16.9
• 3.16.10
• 3.17
• 3.17.0
• 3.17.1
• 3.17.2
• 3.17.3
• 3.17.4
• 3.17.5
• 3.17.6
• 3.17.7
• 3.18
• 3.18.0
• 3.18.1
• 3.19.0

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion