top of page

The Security Brief


One Git Push, Full Server Compromise: Inside GitHub Enterprise's CVE-2026-3854
A single git push was all it took. On 28 April, GitHub publicly disclosed CVE-2026-3854, a CVSS 8.7 remote code execution flaw in GitHub Enterprise Server that any authenticated user with push access could trigger. The fix shipped fast. The lesson for self-hosted code platforms is harder to patch. What Happened Wiz Research found the bug on 4 March 2026 and reported it to GitHub the same day. GitHub deployed a fix to GitHub.com within hours and released patches for GitHub Ent
May 13 min read


Windows Defender Under Fire: Three Zero-Days in Thirteen Days
One researcher. Three Windows Defender zero-days. Thirteen days. That cadence has left most corporate Windows estates carrying at least one unpatched privilege escalation bug this week, with CISA ordering federal agencies to fix the first of them by 6 May. What Happened On 7 April, a proof-of-concept exploit named BlueHammer (CVE-2026-33825) was published, showing how an unprivileged local user could gain SYSTEM access on fully patched Windows 10 and Windows 11 machines. The
Apr 273 min read


Microsoft's April 2026 Patch Tuesday: 163 Vulnerabilities, Two Zero-Days, and Why Your Organisation Cannot Afford to Wait
Microsoft's April 2026 Patch Tuesday has landed with a staggering 163 security fixes — the second-largest patch release in the company's history. Among them are two zero-day vulnerabilities, one already being actively exploited in the wild, and eight critical flaws that could allow remote code execution across enterprise infrastructure. For Australian organisations running Microsoft environments, this is not a routine update cycle — it demands immediate attention. What Happen
Apr 173 min read
bottom of page