CVE-2025-14046

EPSS 0.03%
Veröffentlicht 11.12.2025 17:52:05
Zuletzt bearbeitet 19.12.2025 19:47:36
Quelle product-cna@github.com
CVE-Watchlists
Login
Unerledigt
Login

Insufficient HTML Sanitization Allows User-Controlled DOM Elements to Overwrite Server-Initialized Data Islands and Trigger Unintended Server-Side POST Requests

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 5 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Github ≫ Enterprise Server Version < 3.14.21

Github ≫ Enterprise Server Version >= 3.15.0 < 3.15.16

Github ≫ Enterprise Server Version >= 3.16.0 < 3.16.12

Github ≫ Enterprise Server Version >= 3.17.0 < 3.17.9

Github ≫ Enterprise Server Version >= 3.18.0 < 3.18.3

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.08

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
product-cna@github.com	8.6	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.3

Release Notes

https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.9

Release Notes

https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.12

Release Notes

https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.16

Release Notes

https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.21

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2025-14046

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-14046

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-14046

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-14046