CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2026-8034 — A server-side request forgery (SSRF) vulnerability was identified in the GitHub ...

·Source: NIST NVD

Updated:

Executive Summary

A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the

Analysis

A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program. CVSS Score: 9.8. Published: 2026-05-07T22:16:37.230.

Indicators of Compromise (1)

CVE (1)
CVE-2026-8034
NVDMITRE CVE
Source Attribution

Originally published by NIST NVD on May 7, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerability

Texas sues Netflix over alleged data practices that create ‘surveillance machinery’ without user consent

In addition to fines, Texas is asking a judge to prevent Netflix from illegally collecting and sharing user data and to mandate that the company no longer use autoplay by default on kids’ profiles.

The Record
CRITICALVulnerability

cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor

A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. The attack exploits CVE-2026-41940, a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control

CVE-2026-41940
The Hacker News
MEDIUMVulnerability

Visa unveils Tap to Confirm tech

Visa has introduced technology lets people verify their identity or activate a new card by tapping their physical card to their mobile inside the issuer’s banking app.

Finextra