# CVE-2026-3854

> An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty p

- **CVSS:** 8.8 (HIGH)
- **EPSS:** 0.3%
- **CWE:** CWE-77

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-3854
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp