Improper Input Neutralization in GitHub Enterprise Server
CVE-2025-14046

8.6HIGH

Key Information:

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 11 December 2025

What is CVE-2025-14046?

An improper neutralization of input vulnerability exists in GitHub Enterprise Server that permits the injection of user-supplied HTML. This can lead to ID collisions with server-initialized data islands, potentially enabling the overwriting or shadowing of important application state objects in certain Project views. As a result, this may lead to unintended server-side POST requests or unauthorized backend interactions. To exploit this vulnerability, an attacker must gain access to the GitHub Enterprise Server instance and convince a privileged user to view maliciously crafted content that includes conflicting HTML elements.

Affected Version(s)

Enterprise Server 3.19.0

Enterprise Server 3.18.0 <= 3.18.2

Enterprise Server 3.17.0 <= 3.17.8

References

https://docs.github.com/en/[email protected]/admin/r...

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 11, 2025
Vulnerability Reserved
Dec 4, 2025

Credit

André Storfjord Kristiansen

JSON