GitHub patches sweeping RCE flaw that could expose millions of repos
GitHub fixed CVE-2026-3854, a remote code execution flaw that could let attackers gain full read/write access to private repositories with a single crafted git push. Reported by Wiz in March 2026, GitHub reproduced the issue within 40 minutes and deployed a fix on GitHub.com within two hours, with patches issued for GitHub Enterprise Server across supported releases. The vulnerability affected GitHub.com and multiple GHES products; Wiz warned exploitation could have exposed most enterprises’ codebases. GitHub says no customer data was accessed and no exploitation was observed before the patch, though about 88% of reachable GHES instances were still vulnerable at disclosure, prompting administrators to upgrade promptly.