CVE-2026-3306
Essential information
- Published
- 10/03/2026 18:19
- Modified
- 11/03/2026 13:53
- Author
- —
- Creator
- —
- CVSS
- 5.3 MEDIUM (v3) 5.3 MEDIUM (v4.0)
- CISA KEV
- No
- CWE
- —
- CVSS vector
-
—
—
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Privileges required
- —
- User interaction
- —
- Scope
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- NETWORK
- Attack complexity
- LOW
- Attack requirements
- NONE
- Privileges required
- LOW
- User interaction
- NONE
- Confidentiality (V)
- NONE
- Confidentiality (S)
- NONE
- Integrity (V)
- LOW
- Integrity (S)
- NONE
- Availability (V)
- NONE
- Availability (S)
- NONE
- Exploit maturity
- NOT_DEFINED
Description
An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value updates were applied without verifying the actor's repository write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3.
NVD status
- Status
- Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- [email protected]
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| github / github enterprise server | cpe:2.3:a:github:github_enterprise_server:3.14.24:*:*:*:*:*:*:* |
| github / github enterprise server | cpe:2.3:a:github:github_enterprise_server:3.15.19:*:*:*:*:*:*:* |
| github / github enterprise server | cpe:2.3:a:github:github_enterprise_server:3.16.15:*:*:*:*:*:*:* |
| github / github enterprise server | cpe:2.3:a:github:github_enterprise_server:3.17.12:*:*:*:*:*:*:* |
| github / github enterprise server | cpe:2.3:a:github:github_enterprise_server:3.18.6:*:*:*:*:*:*:* |
| github / github enterprise server | cpe:2.3:a:github:github_enterprise_server:3.19.3:*:*:*:*:*:*:* |
| github / github enterprise server | cpe:2.3:a:github:github_enterprise_server:<3.14.24:*:*:*:*:*:*:* |