Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered stored XSS requires an authenticated account (PR:L) and victim page view (UI:R); scope changes because full JavaScript execution in the victim's browser enables session hijacking (C:H/I:H on subsequent system).
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user's browser by injecting a crafted payload into the title of a Discussion in the Q&A category. The AnsweredQuestionStructuredDataComponent did not escape user-controlled Discussion titles before embedding them in a <script type="application/ld+json"> block, allowing the title to break out of the script context. The injection was escalated to a full cross-site scripting attack on GitHub Enterprise Server by leveraging JSONP callback support in the REST API to bypass the Content Security Policy. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.4, 3.19.8, 3.18.11, 3.17.17. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com/ .
AnalysisAI
Stored cross-site scripting in GitHub Enterprise Server's Q&A Discussion feature allows an authenticated attacker to execute arbitrary JavaScript in any visiting user's browser by embedding a crafted payload into a Discussion title. The AnsweredQuestionStructuredDataComponent unsafely injects user-controlled titles into a server-rendered <script type="application/ld+json"> block, enabling script-context breakout; the attacker then leverages JSONP callback support in the GHES REST API to load arbitrary JavaScript and bypass the Content Security Policy entirely. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid authenticated account on the target GitHub Enterprise Server instance with permission to create Discussions in the Q&A category (PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.3 (Medium) accurately captures the multi-signal risk profile: AV:N and AC:L confirm the attack is network-accessible with low complexity, while PR:L reflects the authentication requirement and UI:P the need for victim interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated GHES user creates a new Q&A Discussion and sets the title to a crafted string that terminates the JSON-LD script block and injects a JSONP-backed script tag pointing to a REST API endpoint with an attacker-controlled callback parameter. When a victim developer navigates to the Discussion page - for example, while triaging questions from colleagues - the injected script fires in the victim's browser, extracting the session cookie or CSRF token and transmitting it to an attacker-controlled endpoint, enabling full account takeover without any further interaction. … |
| Remediation | Upgrade GitHub Enterprise Server to the patched release corresponding to the deployed branch: 3.17.17, 3.18.11, 3.19.8, or 3.20.4, per the vendor release notes linked above. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Enterprise Server
View allServer-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issui
URL redirection vulnerability in GitHub Enterprise Server allows attacker-controlled redirects through crafted URLs, pot
Remote code execution in GitHub Enterprise Server allows authenticated users with repository push access to execute arbi
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scr
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an
Server-side request forgery in GitHub Enterprise Server's notebook viewer enables remote unauthenticated attackers to ac
A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute
An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to byp
An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server
GitHub Enterprise Server allows authenticated webhook administrators to bypass network restrictions through Server-Side
Here is the multi-source synthesis for CVE-2026-8606: ```json { "product_name": "GitHub Enterprise Server", "summar
GitHub Enterprise Server versions before 3.20 contain an authorization bypass in the repository migration upload endpoin
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40424
GHSA-f24q-32qp-rrx8