A critical security vulnerability (CVE-2026-3854, CVSS 8.7) has been disclosed affecting GitHub.com and GitHub Enterprise Server. The flaw is a command injection issue allowing authenticated users with repository push access to achieve remote code execution through a single git push command.