Critical GitHub Enterprise Server Flaw Enables Remote Code Execution, 88% of Instances Still Vulnerable

A critical GitHub Enterprise Server vulnerability (CVE-2026-3854) allows remote code execution via unsanitized git push options, and despite a rapid patch, a staggering 88% of instances remain exposed — with AI-powered tools enabling researchers to develop a working exploit in under 48 hours.

• A high-severity vulnerability, CVE-2026-3854 (CVSS 8.7), is disclosed in GitHub Enterprise Server, allowing attackers with push access to achieve remote code execution by injecting unsanitized git push options into internal metadata.
• Cloud security firm Wiz discovers the flaw using IDA MCP, an AI-powered reverse-engineering tool, reducing what would have taken weeks or months of manual work to under 48 hours from idea to working exploit.
• GitHub patches github.com and its cloud products within two hours of validation, while Enterprise Server customers must manually upgrade to fixed versions, with 88% of instances still reported as vulnerable at time of disclosure.