Stored Cross-Site Scripting in GitHub Enterprise Server
CVE-2026-10585

6.3MEDIUM

Key Information:

Vendor

Github

Vendor
CVE Published:
30 June 2026

What is CVE-2026-10585?

A stored cross-site scripting vulnerability was found in GitHub Enterprise Server, enabling authenticated attackers to execute arbitrary JavaScript in users' browsers by injecting malicious code into the titles of Discussions in the Q&A category. The vulnerability arose due to the failure of the AnsweredQuestionStructuredDataComponent to properly escape user-controlled Discussion titles before embedding them in a context. This flaw was further exploited by leveraging JSONP callback support in the REST API, effectively circumventing the Content Security Policy. The vulnerability was present in all versions of GitHub Enterprise Server prior to 3.21 and was mitigated in versions 3.20.4, 3.19.8, 3.18.11, and 3.17.17.

Affected Version(s)

Enterprise Server 3.17.0 <= 3.17.16

Enterprise Server 3.17.0 <= 3.17.16

Enterprise Server 3.18.0 <= 3.18.10

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

hamayanhamayan
Seokchan Yoon (hxxps://ch4n3.kr)
.