Find notable cyber news and cases, enriched with sources, timelines, and signals.

GitHub CVE-2026-3854 security patch release

Security Patch Release
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

GitHub released security fixes for CVE-2026-3854, patching GitHub.com and supported GitHub Enterprise Server builds after a critical remote code execution flaw that could expose private repositories. GitHub said it fixed GitHub.com in less than two hours after the report and prepared GHES updates for supported releases, with administrators told to upgrade immediately.

Related Happenings

GitHub npm version 12 hardens installs and token management

Security Tool/Service
H score11 First: 09.07.2026 19:49 Last: 09.07.2026 19:49 Sources 1

About this happening: **GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...

GitHub npm GAT publish-token mitigation guidance

Advisory/Mitigation
H score25 First: 09.07.2026 19:49 Last: 09.07.2026 19:49 Sources 1

About this happening: GitHub is steering **npm users** away from **long-lived publish tokens** as **npm GATs** that bypass **2FA** lose direct publishing and sensitive-management abilities. The recomme...

Gitea Docker images security update (CVE-2026-20896)

Security Patch Release
H score51 First: 06.07.2026 19:28 Last: 06.07.2026 19:28 Sources 1

About this happening: Gitea released **version 1.26.3** to fix **CVE-2026-20896**, closing a critical authentication-bypass risk in **Gitea Docker images**. The update removed the default **"*"** wildc...

GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows

Security Tool/Service
H score11 First: 23.06.2026 17:22 Last: 23.06.2026 17:22 Sources 1

About this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...

Gravity SMTP security patch release for CVE-2026-4020

Security Patch Release
H score16 First: 20.06.2026 12:56 Last: 20.06.2026 12:56 Sources 1

About this happening: **Gravity SMTP** released **version 2.1.5** to fix **CVE-2026-4020**, closing a **medium-severity information disclosure** flaw in the WordPress plugin. The patch addresses a bug...

Timeline

  1. 29.04.2026 15:41 1 articles · 2mo ago

    Wiz reports CVE-2026-3854 to GitHub

    Initial Disclosure

    Wiz researchers reported CVE-2026-3854 through GitHub's bug bounty program on March 4, 2026, and GitHub's security team reproduced and confirmed the vulnerability within 40 minutes.

    Show sources
  2. 29.04.2026 15:41 1 articles · 2mo ago

    GitHub confirms malicious git push RCE path

    Technical Analysis Update

    CVE-2026-3854 let a single maliciously crafted git push inject user-supplied options into internal server metadata without sufficient sanitization, bypass sandboxing protections, and execute arbitrary code on the server handling the push. On GitHub.com, the flaw exposed shared storage nodes, and on GitHub Enterprise Server it granted full server compromise with access to hosted repositories and internal secrets.

    Show sources
  3. 29.04.2026 15:41 2 articles · 2mo ago

    GitHub deploys fixes and GHES patches for CVE-2026-3854

    Mitigation Patch Update

    GitHub deployed a fix to GitHub.com less than two hours after receiving the report and prepared supported GitHub Enterprise Server patches for versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, 3.20.0, or later. GitHub also stated that no other users or accounts triggered the exploit path and that no customer data was accessed, modified, or exfiltrated before patches were deployed.

    Show sources