CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

NCSC-2026-0219 [1.00] [M/H] Vulnerabilities fixed in GitHub Enterprise Server

unknownCVE-2026-10585CVE-2026-9106CVE-2026-9132
GitHub has fixed multiple vulnerabilities in GitHub Enterprise Server, specifically in versions prior to 3.21 and 3.22. The first vulnerability concerns a stored cross-site scripting (XSS) where authenticated attackers can inject malicious JavaScript payloads into Discussion titles. These scripts are executed in the context of other users viewing the respective discussions. The second vulnerability is a UI misrepresentation where the OAuth scope manage_runners:org was hidden on the consent screen, allowing OAuth applications to unintentionally gain access to organization runner management functions. The third vulnerability involves a missing authorization, allowing authenticated users to access source code of private repositories for which they had no rights, via the Copilot pull request description diff summary endpoint.

CSIRTS triage

vendor: GitHubproduct: GitHub Enterprise ServerCross-site scriptingMisconfigurationOtheraffected: prior to 3.21 and 3.22
What
Multiple vulnerabilities in GitHub Enterprise Server include stored XSS and misrepresentation of OAuth scopes.
Who is affected
Deployments of GitHub Enterprise Server prior to versions 3.21 and 3.22 are affected.
Urgency
Remediation is medium to high urgency due to the potential for exploitation and the impact on user security.
Action
Upgrade to versions 3.21 or 3.22 immediately.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch GitHub Enterprise Server

Get an email when a new GitHub Enterprise Server advisory drops — max one per day, one-click unsubscribe.

Details

Source
NCSC-NL Advisories (NL · national-cert · site)
Severity
unknown
Published
2026-07-03
Exploitation
Not in CISA KEV at last sync
Language
Machine-translated to English — verify against the original

Original advisory: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0219

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-10585coverage & exploitation statusNVD · CVE.org
CVE-2026-9106coverage & exploitation statusNVD · CVE.org
CVE-2026-9132coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

Recent advisories for GitHub Enterprise Server

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from NCSC-NL Advisories