Securing GitHub: Wiz Research uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854)

Wiz Research disclosed CVE-2026-3854, a critical injection vulnerability in GitHub's internal X-Stat header handling that allows an authenticated git push to inject semicolon-delimited fields and override security metadata, enabling remote code execution on GitHub Enterprise Server and on GitHub.com (leading to potential cross-tenant repository exposure); GitHub mitigated GitHub.com within hours and released GHES patches, but many GHES instances remained unpatched at disclosure.