Reflected HTML Injection Vulnerability in GitHub Enterprise Server Management Console
CVE-2026-8106

5.9MEDIUM

Key Information:

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-8106?

A reflected HTML injection vulnerability has been discovered in the GitHub Enterprise Server Management Console login page. This flaw allows attackers to exploit the redirect_to query parameter on the /setup/unlock endpoint, which is reflected into an HTML attribute without adequate sanitization. By crafting a malicious link, an attacker could potentially capture administrator credentials when the targeted admin clicks the link and enters their credentials. This vulnerability affects multiple versions of GitHub Enterprise Server and poses significant security risks. Users should upgrade to the patched versions to mitigate potential threats.

Affected Version(s)

Enterprise Server 3.19.1 <= 3.19.5

Enterprise Server 3.20.0 <= 3.20.1

Enterprise Server 3.19.0

References

https://docs.github.com/en/enterprise-server@3.19/admin/r...

release-notes

https://docs.github.com/en/enterprise-server@3.20/admin/r...

release-notes

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
May 7, 2026

Credit

maksyche

CVE-2026-8106 Data

JSON