Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-5u82-qy92-2qdx

Summary An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.

Aliases

alias	CVE-2026-3854

Fixed_packages

Affected_packages

References

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-3854

reference_id

reference_type

scores

value	0.00343
scoring_system	epss
scoring_elements	0.57267
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-3854

reference_url

https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.25

reference_id

release-notes#3.14.25

reference_type

scores

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-28T17:34:44Z/

url

https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.25

reference_url

https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.20

reference_id

release-notes#3.15.20

reference_type

scores

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-28T17:34:44Z/

url

https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.20

reference_url

https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.16

reference_id

release-notes#3.16.16

reference_type

scores

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-28T17:34:44Z/

url

https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.16

reference_url

https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.13

reference_id

release-notes#3.17.13

reference_type

scores

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-28T17:34:44Z/

url

https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.13

reference_url

https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.7

reference_id

release-notes#3.18.7

reference_type

scores

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-28T17:34:44Z/

url

https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.7

reference_url

https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.4

reference_id

release-notes#3.19.4

reference_type

scores

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-28T17:34:44Z/

url

https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.4

Weaknesses

cwe_id	77
name	Improper Neutralization of Special Elements used in a Command ('Command Injection')
description	The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Exploits

Severity_range_score 8.7 - 8.7

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5u82-qy92-2qdx

Vulnerability Instance