PT-2026-54000 · Github · Github Enterprise Server
Hamayanhamayan
+1
·
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-10585
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
GitHub Enterprise Server versions prior to 3.21
Description
A stored cross-site scripting issue exists where an authenticated attacker can execute arbitrary JavaScript in another user's browser. This occurs by injecting a crafted payload into the title of a Discussion within the Q&A category. The
AnsweredQuestionStructuredDataComponent fails to escape user-controlled Discussion titles before embedding them in a <script type="application/ld+json"> block, enabling the title to break out of the script context. The attack is further escalated by leveraging JSONP (JSON with Padding, a technique to allow cross-domain data requests) callback support in the REST API to bypass the Content Security Policy.Recommendations
Update to version 3.20.4
Update to version 3.19.8
Update to version 3.18.11
Update to version 3.17.17
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github Enterprise Server