CVE-2025-14046
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21.
| Software | From | Fixed in |
|---|---|---|
| github / enterprise_server | - | 3.14.21 |
| github / enterprise_server | 3.15.0 | 3.15.16 |
| github / enterprise_server | 3.16.0 | 3.16.12 |
| github / enterprise_server | 3.17.0 | 3.17.9 |
| github / enterprise_server | 3.18.0 | 3.18.3 |
- https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.21
- https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.16
- https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.12
- https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.9
- https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.3
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime