PT-2026-54000 · Github · Github Enterprise Server

Hamayanhamayan

+1

·

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-10585

CVSS v4.0

6.3

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.21
Description A stored cross-site scripting issue exists where an authenticated attacker can execute arbitrary JavaScript in another user's browser. This occurs by injecting a crafted payload into the title of a Discussion within the Q&A category. The AnsweredQuestionStructuredDataComponent fails to escape user-controlled Discussion titles before embedding them in a <script type="application/ld+json"> block, enabling the title to break out of the script context. The attack is further escalated by leveraging JSONP (JSON with Padding, a technique to allow cross-domain data requests) callback support in the REST API to bypass the Content Security Policy.
Recommendations Update to version 3.20.4 Update to version 3.19.8 Update to version 3.18.11 Update to version 3.17.17

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-10585

Affected Products

Github Enterprise Server