Skip to main content

GitHub Enterprise Server CVE-2026-10585

| EUVDEUVD-2026-40424 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-30 product-cna@github.com GHSA-f24q-32qp-rrx8
6.3
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.7 HIGH

Network-delivered stored XSS requires an authenticated account (PR:L) and victim page view (UI:R); scope changes because full JavaScript execution in the victim's browser enables session hijacking (C:H/I:H on subsequent system).

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 22:31 vuln.today

DescriptionCVE.org

A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user's browser by injecting a crafted payload into the title of a Discussion in the Q&A category. The AnsweredQuestionStructuredDataComponent did not escape user-controlled Discussion titles before embedding them in a <script type="application/ld+json"> block, allowing the title to break out of the script context. The injection was escalated to a full cross-site scripting attack on GitHub Enterprise Server by leveraging JSONP callback support in the REST API to bypass the Content Security Policy. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.4, 3.19.8, 3.18.11, 3.17.17. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com/ .

AnalysisAI

Stored cross-site scripting in GitHub Enterprise Server's Q&A Discussion feature allows an authenticated attacker to execute arbitrary JavaScript in any visiting user's browser by embedding a crafted payload into a Discussion title. The AnsweredQuestionStructuredDataComponent unsafely injects user-controlled titles into a server-rendered <script type="application/ld+json"> block, enabling script-context breakout; the attacker then leverages JSONP callback support in the GHES REST API to load arbitrary JavaScript and bypass the Content Security Policy entirely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to GHES instance
Delivery
Create Q&A Discussion with title containing JSON-LD breakout payload
Exploit
Victim browses to Discussion page
Install
Browser renders unsanitized title inside JSON-LD script block
C2
JSONP REST API endpoint loaded as script, bypassing CSP
Execute
Arbitrary JavaScript executes in victim's browser context
Impact
Session token exfiltrated or victim actions performed

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid authenticated account on the target GitHub Enterprise Server instance with permission to create Discussions in the Q&A category (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 (Medium) accurately captures the multi-signal risk profile: AV:N and AC:L confirm the attack is network-accessible with low complexity, while PR:L reflects the authentication requirement and UI:P the need for victim interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated GHES user creates a new Q&A Discussion and sets the title to a crafted string that terminates the JSON-LD script block and injects a JSONP-backed script tag pointing to a REST API endpoint with an attacker-controlled callback parameter. When a victim developer navigates to the Discussion page - for example, while triaging questions from colleagues - the injected script fires in the victim's browser, extracting the session cookie or CSRF token and transmitting it to an attacker-controlled endpoint, enabling full account takeover without any further interaction. …
Remediation Upgrade GitHub Enterprise Server to the patched release corresponding to the deployed branch: 3.17.17, 3.18.11, 3.19.8, or 3.20.4, per the vendor release notes linked above. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9312 CRITICAL
9.2 May 27

Server-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issui

CVE-2026-0573 CRITICAL
9.0 Feb 18

URL redirection vulnerability in GitHub Enterprise Server allows attacker-controlled redirects through crafted URLs, pot

CVE-2026-3854 HIGH POC
8.7 Mar 10

Remote code execution in GitHub Enterprise Server allows authenticated users with repository push access to execute arbi

CVE-2025-3246 HIGH
8.6 Apr 17

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scr

CVE-2026-4821 HIGH
8.1 Apr 21

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an

CVE-2026-8034 HIGH
7.9 May 07

Server-side request forgery in GitHub Enterprise Server's notebook viewer enables remote unauthenticated attackers to ac

CVE-2025-3509 HIGH
7.1 Apr 17

A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute

CVE-2026-4296 HIGH
7.5 Apr 21

An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to byp

CVE-2026-5845 HIGH
7.2 Apr 21

An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server

CVE-2026-1999 HIGH
7.1 Feb 18

GitHub Enterprise Server allows authenticated webhook administrators to bypass network restrictions through Server-Side

CVE-2026-8606 HIGH
7.0 May 26

Here is the multi-source synthesis for CVE-2026-8606: ```json { "product_name": "GitHub Enterprise Server", "summar

CVE-2026-1355 MEDIUM
6.5 Feb 18

GitHub Enterprise Server versions before 3.20 contain an authorization bypass in the repository migration upload endpoin

Share

CVE-2026-10585 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy