<![CDATA[CVE-2026-3854: any authenticated GitHub user could RCE the backend with a git push.]]>

<![CDATA[CVE-2026-3854: any authenticated GitHub user could RCE the backend with a git push.]]>CVE-2026-3854: any authenticated GitHub user could RCE the backend with a git push. Unsanitized semicolons in push options → X-Stat header injection → sandbox bypass → code execution.

Same day, a survey of 18 months of supply chain attacks all tracing back to GitHub Actions.

Same structural problem at two layers.

New post: https://alexreed.srht.site/blog/github-rce-actions-weakest-link.html

#infosec #supplychain #github #CVE

]]>https://board.circlewithadot.net/topic/dd6d9171-6163-46a2-9729-2671e6b245f8/cve-2026-3854-any-authenticated-github-user-could-rce-the-backend-with-a-git-push.RSS for NodeFri, 15 May 2026 03:48:05 GMTTue, 28 Apr 2026 18:19:02 GMT60