近日，安全机构WizResearch揭示了一个严重的GitHub安全漏洞，编号为CVE-2026-3854。这个漏洞的严重性不容小觑，攻击者仅需执行一条标准的git push命令，即可在GitHub的后端服务器上触发远程代码执行，进而访问数以百万计的公共和私有仓库。 漏洞的根源在于GitHub内部X-Stat标头的注入缺陷。X-Stat是一个以分号分隔的协议，主要用于在内部服务之间传递安全元数据。

IT之家4 月 29 日消息，安全机构 Wiz Research 昨日（4 月 28 日）发布博文，披露 GitHub 存在严重漏洞 CVE-2026-3854。攻击者仅需一条标准 git push 命令，即可触发远程代码执行，进而访问数百万公共和私有仓库。 该漏洞追踪编号为 CVE-2026-3854，任何经过身份验证的用户只需执行标准的 git push 命令，就能在 GitHub 后端服务器 ...

CLI-Anything generates SKILL.md files that AI agents trust and execute. Snyk found 13.4% of agent skills contain critical ...

The now‑patched flaw allowed authenticated users to execute arbitrary code via crafted git push requests, affecting ...

A single git push command. That is all it would have taken for someone with write access to a repository on GitHub Enterprise ...

A widespread AI-assisted campaign promoting an OpenClaw Docker deployer package is spreading more than 300 Trojanized GitHub packages targeting developers and gamers alike with a data-stealing Trojan.

一个毫无代码的文本，竟连霸GitHub热榜第一。Karpathy的编程神技被化作「AI紧箍咒」，让乱写Bug的大模型瞬间老实！ 就在刚刚，一个.md文件冲爆了整个GitHub！

Millions of enterprise software repositories on GitHub are vulnerable to repojacking, a relatively simple kind of software supply chain attack where a threat actor redirects projects that are ...

Ever since they became a standard offering on a free tier, private GitHub repositories have become popular with developers. However, many developers become ...