CVE-2025-3246

HIGH EPSS 19.3%

Published Apr 17, 20251y ago · Modified Jun 17, 20261w ago

8.6 CVSS 4.0

High

Published Apr 17, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting in GitHub Markdown that used `$$..$$` math blocks. Exploitation required access to the target GitHub Enterprise Server instance and privileged user interaction with the malicious elements. This vulnerability affected version 3.16.1 of GitHub Enterprise Server and was fixed in version 3.16.2. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS Details

Base Score

8.6

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity High

Privileges Required Low

User Interaction A

Scope X

Threat Intelligence

EPSS Exploit Probability

19.3% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

Vendor	Product	Version	Range
github	enterprise_server	3.16.1	any

References 1

docs.github.com https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.2

Release Notes

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.