Stored Cross-Site Scripting in GitHub Enterprise Server
CVE-2026-10585
What is CVE-2026-10585?
A stored cross-site scripting vulnerability was found in GitHub Enterprise Server, enabling authenticated attackers to execute arbitrary JavaScript in users' browsers by injecting malicious code into the titles of Discussions in the Q&A category. The vulnerability arose due to the failure of the AnsweredQuestionStructuredDataComponent to properly escape user-controlled Discussion titles before embedding them in a context. This flaw was further exploited by leveraging JSONP callback support in the REST API, effectively circumventing the Content Security Policy. The vulnerability was present in all versions of GitHub Enterprise Server prior to 3.21 and was mitigated in versions 3.20.4, 3.19.8, 3.18.11, and 3.17.17.
Affected Version(s)
Enterprise Server 3.17.0 <= 3.17.16
Enterprise Server 3.17.0 <= 3.17.16
Enterprise Server 3.18.0 <= 3.18.10
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved