CVE-2026-4821 - Vulnerability Analysis
N/aLast Updated: April 21, 2026
GitHub Enterprise Server - Command Injection
Published: April 21, 2026Updated: April 21, 2026PoC Available
Overview
GitHub Enterprise Server < 3.21 contains a command injection caused by improper neutralization of special elements in proxy configuration fields, letting authenticated Management Console administrators execute arbitrary OS commands, exploit requires admin privileges.
Severity & Score
Severity: N/a
Impact
Authenticated administrators can execute arbitrary OS commands, potentially leading to full system compromise.
Mitigation
Update to versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, 3.14.26 or later.
References
- https://docs.github.com/en/[email protected]/admin/release-notes#3.20.1
- https://docs.github.com/en/[email protected]/admin/release-notes#3.14.24
- https://docs.github.com/en/[email protected]/admin/release-notes#3.15.21
- https://docs.github.com/en/[email protected]/admin/release-notes#3.16.17
- https://docs.github.com/en/[email protected]/admin/release-notes#3.17.14
- https://docs.github.com/en/[email protected]/admin/release-notes#3.18.8
- https://docs.github.com/en/[email protected]/admin/release-notes#3.19.5
Related Resources
Details
- CVE ID
- CVE-2026-4821
- Severity
- N/a
- Type
- command_injection
- Status
- new
CWE
- CWE-78
CVSS Metrics
N/A