CVE-2026-3854PATCHED

github · enterprise_server

Remote code execution via git push option injection in GitHub Enterprise Server

Description

The article provides additional technical details about the vulnerability's impact and exploitation methods, including the ability to access millions of private repositories and the bypassing of sandboxing protections.

Affected Products

Vendor	Product	Versions
github	enterprise_server	3.14.0, 3.15.0, 3.16.0, 3.17.0, 3.18.0, 3.19.0, 3.20.0, 3.18.8, 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.19.4

References

Related News (8 articles)

Tier D

Help Net Security4h ago

Week in review: High-severity LPE vulnerability in the Linux kernel, cPanel 0-day exploited for months

→ No new info (linked only)

Tier E

Hacker News3d ago

CVE-2026-3854

→ No new info (linked only)

Tier D

BleepingComputer4d ago

GitHub fixes RCE flaw that gave access to millions of private repos

→ No new info (linked only)

Tier D

Heise Security4d ago

GitHub und GitHub Enterprise Server: Codeschmuggel per Push

→ No new info (linked only)

Tier D

CSO Online4d ago

Critical GitHub RCE bug exposed millions of repositories

→ No new info (linked only)

Tier D

SecurityWeek4d ago

Critical GitHub Vulnerability Exposed Millions of Repositories

→ No new info (linked only)

Tier E

Lobsters Security4d ago

GitHub RCE Vulnerability: CVE-2026-3854 Breakdown

→ No new info (linked only)

Tier D

The Hacker News4d ago

Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push

→ No new info (linked only)

CVSS 3.18.7 CRITICAL

CISA KEV❌ No

Actively exploited❌ No

Patch available

3.20.0

CWECWE-77, CWE-94

PublishedMar 10, 2026

Last enriched3d agov4

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-4821EXP

Proxy configuration command injection vulnerability found in GitHub Enterprise Server Management Console configuration API

Trending: 14

NONECVE-2026-5921

Server-Side Request Forgery in GitHub Enterprise Server allowed extraction of sensitive environment variables via timing side-channel attack

Trending: 10

NONECVE-2026-5845

Improper authorization fallback allows scoped user-to-server token installation escape in GitHub Enterprise Server

Trending: 10

NONECVE-2026-4296

Incorrect Regular Expression vulnerability in GitHub Enterprise Server allowed unauthorized access to user accounts via OAuth callback URL validation bypass

Trending: 10

NONECVE-2026-5512EXP

Improper authorization vulnerability in GitHub Enterprise Server allowed disclosure of private repository names via mobile upload policy API

Trending: 9

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 10, 2026

Discovered by ZDM

Apr 1, 2026

Exploit Available

Apr 29, 2026

Patch Available

Apr 29, 2026

Updated: affectedVersions, cweIds, tags

Apr 29, 2026

Updated: severity, cvssEstimate, affectedVersions, exploitAvailable, patchAvailable

Apr 29, 2026

Updated: description, severity, affectedVersions

Apr 29, 2026

Version History

Last enriched 3d ago

v4Tier D3d ago

Updated severity to CRITICAL, added affected versions, and provided a more detailed description of the vulnerability's impact and exploitation methods.

descriptionseverityaffectedVersions

via BleepingComputer

v3Tier D4d ago

Updated severity to HIGH, CVSS score to 8.7, added affected version 3.18.8, and noted that the vulnerability is exploitable.

severitycvssEstimateaffectedVersionsexploitAvailablepatchAvailable

via Heise Security

v2Tier D4d ago

Updated description with detailed technical information, changed severity to HIGH, added CVSS estimate of 8.8, and included new affected version 3.20.0.

affectedVersionscweIdstags

via CSO Online

v131d ago

Initial creation