GitHub Enterprise Server Stored XSS via Markdown Rendering Allows Session Hijacking (CVE-2026-11962)
Scope: GitHub Enterprise Server Versions 3.10.0 to 3.10.10, 3.11.0 to 3.11.7, and 3.12.0 to 3.12.3
Severity: Medium
A stored cross-site scripting vulnerability in GitHub Enterprise Server's markdown rendering engine allows any authenticated low-privilege user to inject persistent malicious JavaScript through issues, pull requests, or comments by crafting HTML and JavaScript content that bypasses the markdown sanitizer's filtering. Once stored, the injected script executes automatically in the session context of any user who subsequently views the affected content, enabling session token theft, unauthorized actions on behalf of the victim, and potential escalation through administrator account compromise. Organizations running self-hosted GitHub Enterprise Server must upgrade to versions 3.10.11, 3.11.8, or 3.12.4 or later, audit recent issues and pull request comments for suspicious script injections, and consider enabling Content Security Policy headers as an additional layer of defense.
The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.