CVE-2026-10585: A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user's brow
A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user's browser by injecting a crafted payload into the title of a Discussion in the Q&A category. The AnsweredQuestionStructuredDataComponent did not escape user-controlled Discussion titles before embedding them in a <script type="application/ld+json"> block, allowing the title to break out of the script context. The injection was escalated to a full cross-site scripting attack on GitHub Enterprise Server by leveraging JSONP callback support in the REST API to bypass the Content Security Policy. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-10585
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-105850.18% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 8% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-10585 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
Recent advisories for A stored cross-site
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- highCVE-2026-6939: The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Si…nvd · 2026-07-11
- mediumCVE-2026-1382: The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '…nvd · 2026-07-11
- mediumCVE-2026-15010: The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versio…nvd · 2026-07-11
- mediumCVE-2026-12126: The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnera…nvd · 2026-07-11
- mediumCVE-2026-11898: The White Label CMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admi…nvd · 2026-07-11
- mediumCVE-2026-11591: The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripti…nvd · 2026-07-11
More from NVD Recent CVEs
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…2026-07-11
- highCVE-2026-1359: The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized m…2026-07-11
- highCVE-2026-9282: The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up…2026-07-11
- mediumCVE-2026-9017: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to autho…2026-07-11