CVE-2026-44790

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could inject CLI flags on the Git node's Push operation allowing an attacker to read arbitrary files from the n8n server potentially leadi...

NPM: n8n: Git Node Clone and Push Operations Bypass File Sandbox

NPM: n8n: Git Node Clone and Push Operations Bypass File Sandbox vulnerability discovered by ? in WordPress Npm n8n versions 1.123.48...

CVE-2026-47734 Dulwich has unbounded memory allocation in receive-pack from crafted thin packs

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack 174 bytes whose delta header declares a huge destsize. When dulwich ingested it via addthinpack /...

Improper Authorization

Fleet is vulnerable to Improper Authorization. The vulnerability is due to incomplete application of ServiceAccount impersonation in certain Helm deployer code paths, which allows an attacker with git push access to read secrets from arbitrary namespaces on downstream clusters...

CVE-2026-41050

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo...

CVE-2026-41050 Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering

Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo...

GitHub Enterprise 3.x < 3.14.25 / 3.15.x < 3.15.20 / 3.16.x < 3.16.16 / 3.17.x < 3.17.13 / 3.18.x < 3.18.7 / 3.19.x < 3.19.4 RCE (CVE-2026-3854)

The version of GitHub Enterprise installed on the remote host is affected by a remote code execution vulnerability: - An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote...

Securing the git push pipeline: Responding to a critical remote code execution vulnerability

On March 4, 2026, we received a vulnerability report through our Bug Bounty program from researchers at Wiz describing a critical remote code execution vulnerability affecting github.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise...

CVE-2026-3854

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly...

EUVD-2026-10744

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly...

CVE-2026-3854

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly...

CVE-2026-3854

CVE-2026-3854 describes an RCE vulnerability in GitHub Enterprise Server arising during git push option handling. An attacker with push access could abuse unsanitized user-supplied push option values that are incorporated into internal service headers; because the header format uses a delimiter t...

CVE-2026-23632

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/" does not require write permissions and allows access with read permission only via repoAssignment. After passing the permission check, PutContents invokes UpdateRepoFile,...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the PutContents function accessible via the /repos/:owner/:repo/contents/ endpoint. A user with read permissions can modify repository contents via git push. Remediation Upgrade...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the PutContents function accessible via the /repos/:owner/:repo/contents/ endpoint. A user with read permissions can modify repository contents via git push. Remediation Upgrade gogs.io/gogs/internal/osutil to...

Gogs user can update repository content with read-only permission

Vulnerability Description The endpoint PUT /repos/:owner/:repo/contents/ does not require write permissions and allows access with read permission only via repoAssignment. After passing the permission check, PutContents invokes UpdateRepoFile, which results in: Commit creation Execution of git pu...

GHSA-5QHX-GWFJ-6JQR Gogs user can update repository content with read-only permission

Vulnerability Description The endpoint PUT /repos/:owner/:repo/contents/ does not require write permissions and allows access with read permission only via repoAssignment. After passing the permission check, PutContents invokes UpdateRepoFile, which results in: Commit creation Execution of git pu...

GO-2025-3995 Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook in github.com/argoproj/argo-cd

Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook in github.com/argoproj/argo-cd...

Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

Summary In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index 0 is...

GHSA-GPX4-37G2-C8PV Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

Summary In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index 0 is...