NCSC-2026-0219 [1.00] [M/H] Vulnerabilities fixed in GitHub Enterprise Server
GitHub has fixed multiple vulnerabilities in GitHub Enterprise Server, specifically in versions prior to 3.21 and 3.22. The first vulnerability concerns a stored cross-site scripting (XSS) where authenticated attackers can inject malicious JavaScript payloads into Discussion titles. These scripts are executed in the context of other users viewing the respective discussions. The second vulnerability is a UI misrepresentation where the OAuth scope manage_runners:org was hidden on the consent screen, allowing OAuth applications to unintentionally gain access to organization runner management functions. The third vulnerability involves a missing authorization, allowing authenticated users to access source code of private repositories for which they had no rights, via the Copilot pull request description diff summary endpoint.
CSIRTS triage
- What
- Multiple vulnerabilities in GitHub Enterprise Server include stored XSS and misrepresentation of OAuth scopes.
- Who is affected
- Deployments of GitHub Enterprise Server prior to versions 3.21 and 3.22 are affected.
- Urgency
- Remediation is medium to high urgency due to the potential for exploitation and the impact on user security.
- Action
- Upgrade to versions 3.21 or 3.22 immediately.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch GitHub Enterprise Server
Get an email when a new GitHub Enterprise Server advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0219
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-105850.18% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 8% of all scored CVEs.
- Low exploitation riskCVE-2026-91060.18% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 7% of all scored CVEs.
- Low exploitation riskCVE-2026-91320.26% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 17% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-10585 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-9106 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-9132 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- medium[NEW] [medium] Microsoft GitHub Enterprise Server: Multiple vulnerabilitiescert-bund
- mediumCVE-2026-10585: A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that al…nvd
- mediumCVE-2026-9132: A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed a…nvd
- mediumCVE-2026-9106: A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an…nvd
Recent advisories for GitHub Enterprise Server
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- mediumCVE-2026-14340: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allow…nvd · 2026-07-01
- medium[NEW] [medium] Microsoft GitHub Enterprise Server: Multiple vulnerabilitiescert-bund · 2026-07-01
- mediumCVE-2026-10585: A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that al…nvd · 2026-06-30
- mediumCVE-2026-9132: A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed a…nvd · 2026-06-30
- mediumCVE-2026-9106: A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an…nvd · 2026-06-30
More from NCSC-NL Advisories
- unknownNCSC-2026-0223 [1.00] [M/H] Vulnerabilities fixed in BeyondTrust Remote Support and Privileged Remote Access2026-07-10
- unknownNCSC-2026-0222 [1.00] [M/H] Vulnerabilities fixed in GitLab Enterprise Edition and Community Edition2026-07-10
- unknownNCSC-2026-0221 [1.00] [M/H] Vulnerabilities fixed in UniFi products from Ubiquiti Networks2026-07-07
- unknownNCSC-2026-0220 [1.00] [M/H] Vulnerabilities fixed in Rancher by Rancher Labs2026-07-03
- unknownNCSC-2026-0218 [1.00] [M/H] Vulnerability fixed in Cisco Catalyst Center2026-07-02