Cyber Updates 7 May 2026 / 0 Comments

GitHub Enterprise Server Command Injection RCE via Git Push (CVE-2026-3854)

Scope: GitHub Enterprise Server / GitHub Enterprise Cloud

Severity: High

A command injection vulnerability in GitHub's internal git push pipeline allowed any authenticated user with push access to a repository — including one they created themselves — to execute arbitrary code on GitHub's backend infrastructure with a single crafted git push command, without any additional user interaction. On GitHub Enterprise Server, exploitation could result in full instance compromise including access to all hosted repositories and internal secrets; GitHub.com was patched within two hours of disclosure on March 4, 2026, but as of public disclosure on April 28, approximately 88% of self-hosted GitHub Enterprise Server instances remained unpatched. GitHub Enterprise Server administrators must upgrade immediately to version 3.19.3 or later; audit /var/log/github-audit.log for push options containing semicolons (;) as an indicator of exploitation attempts.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

GitHub Enterprise Server Command Injection RCE via Git Push (CVE-2026-3854)

MetInfo CMS Unauthenticated PHP Code Injection Under Active Exploitation (CVE-2026-29014)

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

GitHub Enterprise Server Command Injection RCE via Git Push (CVE-2026-3854)

RELATED ADVISORIES

MetInfo CMS Unauthenticated PHP Code Injection Under Active Exploitation (CVE-2026-29014)

Recent Advisories

Categories