"During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values."
"The vulnerability has also been addressed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0, or later. There is no evidence that the issue was ever exploited in a malicious context."
A critical security vulnerability, tracked as CVE-2026-3854, affects GitHub.com and GitHub Enterprise Server, enabling remote code execution through a single 'git push' command. The flaw arises from inadequate sanitization of user-supplied push option values, allowing attackers to inject additional metadata fields. Discovered by Wiz on March 4, 2026, GitHub quickly validated and deployed a fix. The vulnerability impacts various GitHub services, but there is no evidence of exploitation in the wild.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]