Github-Enterprise-Server

Vulnerabilities 2026-04-29
CVE-2026-3854: A Single Git Push Owned GitHub.com — and 88% of Enterprise Servers Were Still Vulnerable at Disclosure
Wiz disclosed a CVSS 8.7 RCE in GitHub's internal git push pipeline. Any authenticated user could execute arbitrary commands on backend servers with one git push. 88% of Enterprise Server instances were still unpatched on disclosure day.
github github-enterprise-server rce command-injection babeld git ci-cd CVE-2026-3854

CVE-2026-3854: A Single Git Push Owned GitHub.com — and 88% of Enterprise Servers Were Still Vulnerable at Disclosure