GitHub Enterprise Server <3.18.1 XSS via Issues Label Filter
CVE-2025-11892 Published on November 10, 2025
DOM-based Cross-Site Scripting was identified in GitHub Enterprise Server Issues search allows privilege escalation and unauthorized workflow triggers
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allows DOM-based cross-site scripting via Issues search label filter that could lead to privilege escalation and unauthorized workflow triggers. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a user, while operating in sudo mode, to click on a crafted malicious link to perform actions that require elevated privileges. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.1, 3.17.7, 3.16.10, 3.15.14, 3.14.19.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2025-11892 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2025-11892
Want to know whenever a new CVE is published for github Enterprise Server? stack.watch will email you.
Affected Versions
GitHub Enterprise Server:- Version 3.18.0 and below 3.18.1 is affected.
- Version 3.17.0, <= 3.17.6 is affected.
- Version 3.16.0, <= 3.16.9 is affected.
- Version 3.15.0, <= 3.15.13 is affected.
- Version 3.14.0, <= 3.14.18 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.