A high-severity command injection vulnerability (CVE-2026-3854, CVSS 8.8) in GitHub Enterprise Server allows authenticated attackers with repository push access to execute arbitrary code via specially crafted push options, as unsanitized input is passed to internal service headers. Affected versions are GitHub Enterprise Server < 3.14.24, >= 3.15.0 < 3.15.19, >= 3.16.0 < 3.16.15, >= 3.17.0 < 3.17.12, and >= 3.18.0 < 3.18.6. The flaw is remediated by upgrading to versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, or 3.19.3.
Vulnerability Management , Patch/Configuration Management , DevOps GitHub vulnerability CVE-2026-3854 allows code execution with a single git push April 29, 2026 Share By SC Staff (Adobe Stock) A high-severity vulnerability, identified as CVE-2026-3854, has been discovered in GitHub that enables remote code execution through a basic git push operation. This flaw affects various GitHub Enterprise products, including GitHub Enterprise Cloud and GitHub Enterprise Server. The vulnerability stems from a command injection issue, allowing an attacker with repository push access to execute arbitrary commands on vulnerable systems, posing significant risks to users of both GitHub.com and GitHub Enterprise Server, as reported by Security Affairs. The vulnerability, CVE-2026-3854, arises from improper handling of special elements within GitHub Enterprise Server. During a git push, user-supplied push option values were not adequately sanitized before being incorporated into internal service headers. Attackers could exploit this by injecting additional metadata fields through crafted push options, tricking downstream services into treating malicious input as trusted data. This could lead to altering of execution environments, bypassing of sandbox protections, and running of arbitrary commands on the server. Wiz researchers reported the flaw on March 4, 2026, and GitHub addressed it within two hours by sanitizing inputs and releasing patches for affected Enterprise Server versions. No real-world exploitation beyond researcher tests was found, and no customer data was compromised. The vulnerability could allow attackers to execute code on shared storage nodes, potentially exposing millions of repositories on GitHub.com, or gain full system compromise on Enterprise Server instances. Wiz highlighted that 88% of instances remained vulnerable at the time of their report, urging immediate upgrades. Source: Security Affairs SC Staff Related IoT Vulnerabilities found in Zero Motorcycles and Yadea scooters SC Staff April 29, 2026 US-based Zero Motorcycles is affected by a medium severity vulnerability (CVE-2026-1354) in firmware version 44 and earlier. AI/ML Wiz launches Red Agent for AI vulnerability simulation SC Staff April 29, 2026 The expansion adds support for Databricks and studio environments, including AWS Agentcore, Gemini Enterprise Agent Platform, and Salesforce Agentforce, addressing the risk created when autonomous agents gain access to live data. Vulnerability Management New Windows flaw stems from incomplete fix for APT28-exploited bugs SC Staff April 29, 2026 New Windows flaw stems from incomplete fix for APT28-exploited bugs SecurityWeek reports that Microsoft's deficient February patch for the high-severity Windows SmartScreen and Shell prompt bypass bug CVE-2026-21510, which has been exploited by the Russia-linked advanced persistent threat group APT28, has resulted in the new authentication coercion zero-click bug, tracked as CVE-2026-32202. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds