CVE-2026-2266 Overview
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting (XSS) via task list content. The task list content extraction logic fails to properly re-encode browser-decoded text nodes before rendering, enabling attackers to inject user-supplied HTML into the page. An authenticated attacker can craft malicious task list items in issues or pull requests to execute arbitrary scripts within another user's browser session.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in victim users' browser sessions, potentially leading to session hijacking, credential theft, and unauthorized actions within GitHub Enterprise Server environments.
Affected Products
- GitHub Enterprise Server versions prior to 3.20
- GitHub Enterprise Server versions prior to 3.18.6
- GitHub Enterprise Server versions prior to 3.19.3
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-2266 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-2266
Vulnerability Analysis
This vulnerability exists in GitHub Enterprise Server's task list rendering functionality. When users create task lists within issues or pull requests, the server-side application extracts and processes text content from these list items. The core issue lies in how browser-decoded text nodes are handled during the rendering pipeline.
When a browser parses HTML content, it automatically decodes HTML entities within text nodes. The vulnerable code path extracts this browser-decoded content but fails to re-encode it before inserting it back into the DOM. This creates a DOM-based XSS vector where an attacker can embed malicious HTML or JavaScript that bypasses input sanitization.
The attack requires authentication, meaning an attacker must have a valid GitHub Enterprise Server account. However, once authenticated, they can target any user who views their crafted issue or pull request containing malicious task list content. This vulnerability was reported via the GitHub Bug Bounty program and classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Root Cause
The root cause is improper handling of text node content during the task list extraction and rendering process. Specifically, the application fails to apply proper output encoding when reinserting extracted text content into the DOM. Browser-decoded content is treated as safe for direct DOM insertion, but this assumption is incorrect when the original content contained encoded malicious payloads.
Attack Vector
The attack vector is network-based and requires low complexity to exploit. An authenticated attacker creates an issue or pull request containing a specially crafted task list. The malicious payload is embedded within the task list item text, potentially using various encoding techniques to bypass initial input filters.
When a victim user views the affected issue or pull request, their browser processes the task list content. During this process, the browser decodes the text nodes, and the vulnerable extraction logic captures this decoded content. When the content is re-rendered without proper encoding, the attacker's injected HTML/JavaScript executes in the victim's browser context.
The exploitation mechanism relies on the DOM manipulation occurring client-side after initial page load. The attacker's payload could perform actions such as stealing session tokens, modifying page content, or performing actions on behalf of the victim user within the GitHub Enterprise Server instance.
Detection Methods for CVE-2026-2266
Indicators of Compromise
- Unusual JavaScript execution patterns originating from task list DOM elements in issue or pull request pages
- HTTP requests to external domains triggered during issue or pull request page views
- User reports of unexpected behavior or prompts when viewing specific issues or pull requests
- Audit logs showing suspicious activity correlated with specific issue or pull request views
Detection Strategies
- Monitor web application logs for requests containing encoded HTML entities or JavaScript within task list parameters
- Implement Content Security Policy (CSP) violations monitoring to detect unauthorized script execution attempts
- Review audit logs for unusual patterns of issue or pull request creation followed by high view counts
- Deploy browser-based XSS detection tools that can identify DOM manipulation attacks
Monitoring Recommendations
- Enable and monitor CSP reporting endpoints for violation alerts related to inline script execution
- Configure SIEM rules to detect patterns consistent with XSS exploitation in GitHub Enterprise Server logs
- Monitor for unusual outbound network connections from client browsers accessing GitHub Enterprise Server
- Implement user behavior analytics to identify accounts creating suspicious content patterns
How to Mitigate CVE-2026-2266
Immediate Actions Required
- Upgrade GitHub Enterprise Server to version 3.18.6, 3.19.3, or 3.20 or later immediately
- Review recent issues and pull requests for suspicious task list content containing encoded payloads
- Audit user activity logs for signs of potential exploitation
- Consider temporarily restricting task list functionality if immediate patching is not possible
Patch Information
GitHub has released security patches addressing this vulnerability in multiple versions. Organizations should upgrade to the following fixed versions:
- Version 3.18.6 - See GitHub Release Notes 3.18.6 for details
- Version 3.19.3 - See GitHub Release Notes 3.19.3 for details
- Version 3.20 or later includes the fix by default
Organizations should prioritize patching based on their current version and follow GitHub's standard upgrade procedures for Enterprise Server deployments.
Workarounds
- Implement a strict Content Security Policy to prevent inline script execution as a defense-in-depth measure
- Consider using a web application firewall (WAF) rule to filter suspicious encoded payloads in request bodies
- Limit access to issue and pull request creation to trusted users until patching is complete
- Enable enhanced audit logging to detect potential exploitation attempts before patches are applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
