CVE-2026-2266 is a DOM-based cross-site scripting vulnerability classified under CWE-79, affecting GitHub Enterprise Server versions 3.18.0 and 3.19.0. The root cause lies in the task list content extraction logic, which fails to properly re-encode browser-decoded text nodes before rendering. This improper neutralization allows an authenticated attacker to craft malicious task list items within issues or pull requests that contain user-supplied HTML. When rendered, these malicious inputs execute arbitrary JavaScript in the context of other users' browsers viewing the affected pages. The vulnerability requires the attacker to have at least limited privileges (authenticated with low privileges) and some user interaction to trigger the malicious script execution. The impact is significant as it can lead to session hijacking, unauthorized actions, or data theft within the GitHub Enterprise Server environment. The issue was responsibly disclosed via the GitHub Bug Bounty program and fixed in versions 3.18.6 and 3.19.3. The CVSS 4.0 score is 7.4 (high), reflecting network attack vector, low attack complexity, partial authentication, and partial user interaction requirements, with high impact on confidentiality and integrity but no impact on availability.

This vulnerability poses a serious risk to organizations using affected GitHub Enterprise Server versions, as it enables attackers to execute arbitrary scripts in the context of other users' sessions. Potential impacts include theft of sensitive information such as authentication tokens or credentials, unauthorized actions performed on behalf of users, and potential lateral movement within the enterprise environment. Since GitHub Enterprise Server is widely used by organizations for source code management and collaboration, exploitation could compromise intellectual property, disrupt development workflows, and erode trust in the platform. The requirement for authentication limits exposure somewhat, but insider threats or compromised accounts could be leveraged to exploit this vulnerability. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

Organizations should immediately upgrade GitHub Enterprise Server to versions 3.18.6, 3.19.3, or later, where the vulnerability has been patched. Until upgrades are applied, administrators should restrict access to the affected versions by limiting user privileges and monitoring for suspicious activity related to task list content in issues and pull requests. Implementing strict content security policies (CSP) can help mitigate the impact of XSS by restricting script execution sources. Additionally, organizations should educate users about the risks of interacting with untrusted task list items and encourage vigilance for unusual behavior. Regularly auditing and reviewing pull requests and issues for suspicious content can also help detect attempted exploitation. Finally, integrating automated scanning tools that detect XSS patterns in user-generated content within the GitHub environment can provide early warning.