Overview
- GitHub
- Enterprise Server
Description
Statistics
- 23 Posts
- 339 Interactions
Fediverse
Wiz got RCE on the cloud version of Github.com and access to every customer environment.
To do this they just reversed the on prem version and found a simple vuln.
https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
Beaucoup de gens vont sans doute résumer la faille de sécurité CVE-2026-3854 en « Mon Dieu, la totalité des logiciels hébergés sur GitHub ont peut-être été compromis ».
Mais, en fait, c'était déjà possible, Microsoft (propriétaire de GitHub) pouvait déjà tout modifier.
Tout ce qu'a permis CVE-2026-3854, si des gens l'ont exploité, c'est de démocratiser cette possibilité, en la rendant accessible à tous les gens ayant un compte GitHub.
https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
🚨 BREAKING: Wiz Research discovered Remote Code Execution on GitHub.com with a single git push.
Wiz Researchers uncovered a critical flaw in GitHub that could be exploited for RCE. The flaw allowed unauthorized access to millions of repositories belonging to other users and organizations 🤯
We responsibly disclosed the issue to GitHub, who deployed a fix on GitHub.com the same day (!) and released patches for all supported GHES versions.
GitHub Enterprise Server customers are strongly encouraged to update immediately.
Huge kudos to GitHub for addressing the issue 👏
Full technical breakdown here → https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
There should be a "but the service is never up to be exploited" reducer on the CVE score.
https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
HAHAHAHAHHAHAHAHAHAHAH https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
@GossiTheDog Here's a non-Twitter link: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
RCE in GitHub.com and GitHub Enterprise Server (CVE-2026-3854)
Somebody stop Wiz 😅
https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
GitHub RCE Vulnerability: CVE-2026-3854 Breakdown | Wiz Blog
https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
Read on HackerWorkspace: https://hackerworkspace.com/article/github-rce-vulnerability-cve-2026-3854-breakdown-wiz-blog
Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push https://thehackernews.com/2026/04/researchers-discover-critical-github.html
A single git push command was enough to exploit a flaw in #GitHub's internal protocol and achieve code execution on backend infrastructure.
CVE-2026-3854
https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
Question about the GitHub RCE:
https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854 says GHES patches were _released_ on 03/10.
https://github.blog/security/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability/ says "we _prepared_ patches [...] and published CVE-2026-3854. These are _available today_".
So were GHES patches made available to customers at the time of CVE publication or only today, 1.5 months laster?
Bluesky
Overview
- Hugging Face
- LeRobot
Description
Statistics
- 7 Posts
- 13 Interactions
Fediverse
📰 Critical Unpatched RCE Flaw in Hugging Face's LeRobot AI Platform Puts Robotics Systems at Risk
🚨 CRITICAL FLAW: Unpatched RCE (CVE-2026-25874, CVSS 9.3) in Hugging Face's LeRobot AI platform. Unsafe deserialization allows unauthenticated attackers to execute code. #CVE202625874 #HuggingFace #AI #RCE
⚠️ An unpatched critical flaw in Hugging Face’s LeRobot enables remote code execution (CVSS 9.3).
Untrusted pickle over unauthenticated gRPC (no TLS) lets attackers take over servers, steal keys and models, and impact connected robots.
🔗 Details → https://thehackernews.com/2026/04/critical-cve-2026-25874-leaves-hugging.html
The vulnerability in question is CVE-2026-25874 (CVSS score: 9.3), which has been described as a case of untrusted data deserialization stemming from the use of the unsafe pickle format. https://thehackernews.com/2026/04/critical-cve-2026-25874-leaves-hugging.html
Bluesky
Overview
Description
Statistics
- 8 Posts
- 5 Interactions
Fediverse
🛡️ Title: Windows Shell Spoofing Vulnerability
Description
🛡️ Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.
#infosec #vulnerability #malware
Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202
https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html?m=1
Bluesky
Overview
- OpenBSD
- OpenSSH
Description
Statistics
- 4 Posts
- 5 Interactions
Fediverse
Kritische OpenSSH-Luecke: Ein Komma in Zertifikatsnamen kann Root-Zugriff ermoeglichen. CVE-2026-35414 mit CVSS 8,1 betrifft Versionen der letzten 15 Jahre. Update auf OpenSSH 10.3 verfuegbar. https://winfuture.de/news,158363.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia
@kubikpixel Behoben wurde die Schwachstelle bereits Anfang April mit der Veröffentlichung von OpenSSH 10.3
Detail Description :
https://nvd.nist.gov/vuln/detail/CVE-2026-35414
(mW ein weiterhin funktionierender und gemeinnütziger Service der Regierung der United States :awesome: )
Overview
- PackageKit
- PackageKit
Description
Statistics
- 2 Posts
- 9 Interactions
Fediverse
Pack2TheRoot: Critical Linux Privilege Escalation Flaw in PackageKit Affects 12+ Years of Releases (CVE-2026-41651)
#CyberSecurity
https://securebulletin.com/pack2theroot-critical-linux-privilege-escalation-flaw-in-packagekit-affects-12-years-of-releases-cve-2026-41651/
Article sur une faille sur #PackageKit :
https://goodtech.info/pack2theroot-faille-linux-packagekit-root-cve-2026-41651/
Pour info packagekit est traduit en :
- Kabyle : 31%
- Occitan : 27%
- Breton : 22%
- Basque, Galicien, Catalan : +60%
Overview
Description
Statistics
- 2 Posts
- 9 Interactions
Fediverse
CVE-2026-42208: Targeted SQL injection against LiteLLM's authentication path discovered 36 hours following vulnerability disclosure | Sysdig
Read on HackerWorkspace: https://hackerworkspace.com/article/cve-2026-42208-targeted-sql-injection-against-litellm-s-authentication-path-discovered-36-hours-following-vulnerability-disclosure-sysdig
Overview
Description
Statistics
- 1 Post
- 6 Interactions
Fediverse
Microsoft Defender “RedSun” Zero-Day (CVE-2026-33825): Unpatched Exploit Grants Full SYSTEM Access
#CyberSecurity
https://securebulletin.com/microsoft-defender-redsun-zero-day-cve-2026-33825-unpatched-exploit-grants-full-system-access/
Overview
- Microsoft
- ASP.NET Core 10.0
Description
Statistics
- 1 Post
- 4 Interactions
Fediverse
The diversity of advisory is key. Look at how good the advisory of GitHub is compared to the others.
Description
Statistics
- 1 Post
- 2 Interactions
Overview
- Milesight
- MS-Cxx63-PD
Description
Statistics
- 1 Post
- 1 Interaction
Fediverse
CVE-2026-32644 (CRITICAL, CVSS 9.2): Milesight MS-Cxx63-PD cameras have default SSL private keys, exposing encrypted traffic to interception & tampering. No patch yet — restrict access & follow vendor updates. https://radar.offseq.com/threat/cve-2026-32644-cwe-321-in-milesight-ms-cxx63-pd-60e79b90 #OffSeq #IoTSecurity #Vulnerability