CVE-2026-10585
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
A stored cross-site scripting vulnerability was found in GitHub Enterprise Server, allowing an authenticated attacker to execute arbitrary JavaScript in another user's browser by injecting a malicious payload into the title of a Discussion in the Q&A category. The AnsweredQuestionStructuredDataComponent failed to escape user-controlled Discussion titles before embedding them in a <script type="application/ld+json"> block, enabling breakout from the script context. The attack was escalated to full XSS by leveraging JSONP callback support in the REST API to bypass Content Security Policy.
Risk Assessment
The risk includes session theft, account takeover, or unauthorized actions performed on behalf of the victim, potentially leading to data leakage or system integrity compromise.
Recommendation
Immediately upgrade GitHub Enterprise Server to version 3.20.4, 3.19.8, 3.18.11, 3.17.17, or 3.16.20, depending on the branch in use, and apply security patches.
Original NVD description (English source)
A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user's browser by injecting a crafted payload into the title of a Discussion in the Q&A category. The AnsweredQuestionStructuredDataComponent did not escape user-controlled Discussion titles before embedding them in a <script type="application/ld+json"> block, allowing the title to break out of the script context. The injection was escalated to a full cross-site scripting attack on GitHub Enterprise Server by leveraging JSONP callback support in the REST API to bypass the Content Security Policy. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.

