216.73.216.133

CVE-2026-3306

· Published 10/03/2026 18:19 · Modified 11/03/2026 13:53

Labels: CVE-2026-3306 2026-03-10CVE-2026-3306CWE-639[email protected]

Essential information

Published
10/03/2026 18:19
Modified
11/03/2026 13:53
Author
Creator
CVSS
5.3 MEDIUM (v3) 5.3 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value updates were applied without verifying the actor's repository write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
github / github enterprise server cpe:2.3:a:github:github_enterprise_server:3.14.24:*:*:*:*:*:*:*
github / github enterprise server cpe:2.3:a:github:github_enterprise_server:3.15.19:*:*:*:*:*:*:*
github / github enterprise server cpe:2.3:a:github:github_enterprise_server:3.16.15:*:*:*:*:*:*:*
github / github enterprise server cpe:2.3:a:github:github_enterprise_server:3.17.12:*:*:*:*:*:*:*
github / github enterprise server cpe:2.3:a:github:github_enterprise_server:3.18.6:*:*:*:*:*:*:*
github / github enterprise server cpe:2.3:a:github:github_enterprise_server:3.19.3:*:*:*:*:*:*:*
github / github enterprise server cpe:2.3:a:github:github_enterprise_server:<3.14.24:*:*:*:*:*:*:*

References