Key Findings Critical command injection vulnerability (CVE-2026-3854, CVSS 8.7) allows authenticated users to achieve remote code execution via a single git push command Affects GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server across multiple versions Flaw stems from unsanitized user-supplied git push options being embedded in internal service headers without proper delimiter handling Exploitation chain allows attackers to bypass sandbox protections, redirect
