GitHub Discloses Critical Git Push RCE That Could Have Exposed Millions of Private Repositories, With 88 Percent of Self-Hosted Servers Still Unpatched
CVE-2026-3854 let any authenticated user run code on GitHub's backend with a single git push. GitHub patched github.com in two hours on March 4; public disclosure on April 28 found most Enterprise Server instances still vulnerable.
6 min read3 sources