Key Findings Critical vulnerability CVE-2026-3854 allows remote code execution on GitHub through a single git push command Affects GitHub Enterprise Cloud, GitHub Enterprise Server, and related variants Command injection flaw exploitable by any user with repository push access Vulnerability chain enables attackers to bypass sandbox protections and execute arbitrary commands as the git service user Wiz researchers discovered the flaw on March 4, 2026; GitHub patched within two
