DOM-based Cross-Site Scripting Vulnerability in GitHub Enterprise Server
CVE-2025-11892

8.6HIGH

Key Information:

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 10 November 2025

What is CVE-2025-11892?

A vulnerability exists in GitHub Enterprise Server that allows for DOM-based cross-site scripting through the Issues search label filter. This could enable an attacker with access to the affected instance to execute malicious scripts, resulting in privilege escalation and unauthorized actions within the workflow. Successful exploitation requires an attacker to lure a user with elevated permissions (operating in sudo mode) to click a specially crafted link, performing actions that should only be accessible through proper authorization. All versions prior to specified secure releases are affected.

Affected Version(s)

Enterprise Server 3.18.0

Enterprise Server 3.18.0 < 3.18.1

Enterprise Server 3.17.0 <= 3.17.6

References

https://docs.github.com/en/[email protected]/admin/r...

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 10, 2025
Vulnerability Reserved
Oct 16, 2025

Credit

André Storfjord Kristiansen

JSON