Reverse Engineering With AI Unearths High-Severity GitHub Bug

GitHub disclosed CVE-2026-3854 — an 8.7 CVSS remote code execution flaw in GitHub Enterprise Server and related services where unsanitized git push options could be injected into internal metadata, enabling an attacker with push access to achieve RCE; Wiz used AI-assisted reverse-engineering to find and demonstrate the issue, GitHub has patched affected services and reported no evidence of exploitation, and Enterprise Server customers must upgrade to specified fixed versions.