"GitHub fixed the issue on GitHub.com and released patches for all supported versions of GitHub Enterprise Server within hours of the report. However, Wiz said that 88% of Enterprise Server instances remained vulnerable on the internet at the time of public disclosure."
"The flaw, tracked as CVE-2026-3854, stemmed from how GitHub processes git push requests within its backend Git infrastructure. According to Wiz, the issue involves an internal component referred to as X-STAT."
"Wiz researchers found that a specially crafted git push could pass maliciously structured input into X-STAT, where it was not safely handled before being incorporated into backend command execution."
GitHub addressed a vulnerability tracked as CVE-2026-3854, which arose from improper processing of git push requests. The flaw involved an internal component called X-STAT, allowing malicious input to affect backend command execution. Despite the rapid release of patches for all supported versions, a significant percentage of Enterprise Server instances remained vulnerable on the internet at the time of disclosure, highlighting ongoing security concerns.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]