CVE-2026-3854

🗓️ 10 Mar 2026 17:37:34Reported by GitHub_PType

cve🔗 web.nvd.nist.gov📰️ 21 Media mentions👁 75 Views

CVE-2026-3854 remote code execution in GitHub Enterprise Server via unsanitized push options

Reporter	Title	Published	Views	Family All 21
GithubExploit	Exploit for Command Injection in Github Enterprise_Server	25 May 202604:38	–	githubexploit
GithubExploit	Exploit for Command Injection in Github Enterprise_Server	22 May 202620:44	–	githubexploit
GithubExploit	Exploit for Command Injection in Github Enterprise_Server	28 Apr 202622:02	–	githubexploit
GithubExploit	Exploit for Command Injection in Github Enterprise_Server	9 Jun 202611:16	–	githubexploit
GithubExploit	Exploit for Command Injection in Github Enterprise_Server	29 Apr 202603:52	–	githubexploit
ATTACKERKB	CVE-2026-3854	10 Mar 202617:37	–	attackerkb
Circl	CVE-2026-3854	20 Mar 202610:34	–	circl
CNNVD	GitHub Enterprise Server 安全漏洞	10 Mar 202600:00	–	cnnvd
Cvelist	CVE-2026-3854 Remote code execution via git push option injection in GitHub Enterprise Server	10 Mar 202617:37	–	cvelist
EUVD	EUVD-2026-10744	10 Mar 202618:31	–	euvd

NVD

Vulners

Node

github enterprise_serverRange<3.14.24

github enterprise_serverRange3.15.0–3.15.19

github enterprise_serverRange3.16.0–3.16.15

github enterprise_serverRange3.17.0–3.17.12

github enterprise_serverRange3.18.0–3.18.6

github enterprise_serverRange3.19.0–3.19.3

[
  {
    "vendor": "GitHub",
    "product": "Enterprise Server",
    "versions": [
      {
        "status": "affected",
        "version": "3.14.0",
        "lessThanOrEqual": "3.14.24",
        "changes": [
          {
            "at": "3.14.25",
            "status": "unaffected"
          }
        ],
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "3.15.0",
        "lessThanOrEqual": "3.15.19",
        "changes": [
          {
            "at": "3.15.20",
            "status": "unaffected"
          }
        ],
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "3.16.0",
        "lessThanOrEqual": "3.16.15",
        "changes": [
          {
            "at": "3.16.16",
            "status": "unaffected"
          }
        ],
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "3.17.0",
        "lessThanOrEqual": "3.17.12",
        "changes": [
          {
            "at": "3.17.13",
            "status": "unaffected"
          }
        ],
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "3.18.0",
        "lessThanOrEqual": "3.18.6",
        "changes": [
          {
            "at": "3.18.7",
            "status": "unaffected"
          }
        ],
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "3.19.0",
        "lessThanOrEqual": "3.19.3",
        "changes": [
          {
            "at": "3.19.4",
            "status": "unaffected"
          }
        ],
        "versionType": "semver"
      }
    ],
    "defaultStatus": "affected"
  }
]

Source	Link
docs	www.docs.github.com/en/[email protected]/admin/release-notes
docs	www.docs.github.com/en/[email protected]/admin/release-notes
docs	www.docs.github.com/en/[email protected]/admin/release-notes
docs	www.docs.github.com/en/[email protected]/admin/release-notes
docs	www.docs.github.com/en/[email protected]/admin/release-notes
docs	www.docs.github.com/en/[email protected]/admin/release-notes
wiz	www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854

28 Apr 2026 19:37Current

6.4Medium risk

Vulners AI Score6.4

CVSS 3.18.8

CVSS 48.7

EPSS0.09884

SSVC

CWE-77