CVE-2026-3854 is a CVSS 9.5 OS command injection flaw in GitHub Enterprise Server’s git push processing pipeline, exploitable by any authenticated user with standard push access. GitHub.com and Enterprise Cloud received emergency patches within two hours of the March 4, 2026 disclosure; self-hosted Enterprise Server customers on unsupported or unpatched release trains remain exposed. Successful exploitation grants OS-level command execution on the Enterprise Server host, placing source code repositories, CI/CD secrets, and downstream software supply chain integrity at direct risk.