Security researchers disclosed five critical vulnerabilities this week that attackers have actively exploited, including a remote code execution flaw in GitHub that exposed millions of repositories and a cPanel authentication bypass that gave hackers administrative access for months.
GitHub RCE Vulnerability Exposed Millions of Repositories
Cloud security firm Wiz discovered CVE-2026-3854, a critical remote code execution vulnerability in GitHub’s internal Git infrastructure that affected both GitHub Enterprise Server and GitHub.com. According to Wiz’s disclosure, any authenticated user could execute arbitrary commands on GitHub’s backend servers with a single git push command using a standard git client.
On GitHub.com, the vulnerability allowed remote code execution on shared storage nodes where millions of public and private repositories from other users and organizations were accessible. For GitHub Enterprise Server deployments, attackers could fully compromise the server and gain access to all repositories and internal secrets.
GitHub confirmed it has not detected exploitation in the wild. The company deployed a fix to GitHub.com on March 4, the same day Wiz reported the issue, and released patches for Enterprise Server shortly after.
cPanel Zero-Day Exploited Since February
CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, has been actively exploited since February 23, according to hosting provider KnownHost. The flaw, which carries a CVSS score of 9.8, affects all cPanel versions after 11.40.
Attack surface management firm WatchTowr’s analysis revealed that the vulnerability allows remote, unauthenticated attackers to manipulate cookies and inject credentials into pre-authentication session files. Successful exploitation grants administrative access to the control panel, potentially compromising all websites on shared hosting servers.
A Shodan search identified approximately 1.5 million internet-accessible cPanel instances potentially vulnerable to attacks. Major hosting providers including KnownHost, HostPapa, InMotion, and Namecheap immediately blocked access to cPanel & WHM after notification.
Linux PackageKit Flaw Enables Root Access
Deutsche Telekom’s Red Team discovered CVE-2026-41651, dubbed “Pack2TheRoot,” a high-severity vulnerability in PackageKit that allows unprivileged users to install packages with root privileges. The flaw, scoring 8.1 on the CVSS scale, stems from a time-of-check time-of-use race condition on transaction flags.
The vulnerability affects PackageKit versions 1.0.2 to 1.3.4 but likely existed since version 0.8.1, released 14 years ago. Confirmed affected distributions include Ubuntu Desktop 18.04-26.04, Ubuntu Server 22.04-24.04, Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, and Fedora 43.
Deutsche Telekom noted that all distributions shipping PackageKit with it enabled are likely vulnerable, including Red Hat Enterprise Linux servers with Cockpit installed. The researchers withheld technical details, stating the vulnerability is “easily exploitable in seconds.”
AI Gateway LiteLLM Hit by SQL Injection
Cybersecurity firm Sysdig reported that attackers exploited CVE-2026-42208 in the open source AI gateway LiteLLM just 36 hours after its April 24 disclosure in GitHub’s Advisory database. The critical SQL injection vulnerability, scoring 9.3 on CVSS, affects the proxy API key verification process.
The flaw allows unauthenticated attackers to send crafted Authorization headers to any LLM API route and access database queries through the proxy’s error-handling path. Attackers specifically targeted three database tables containing API keys, provider credentials, and environment variable configurations.
LiteLLM’s maintainers explained that the vulnerability occurred because database queries included caller-supplied values directly in the query rather than passing them as separate parameters. Despite the targeted attacks, Sysdig observed no continuation of the exploitation or abuse of extracted credentials.
Robinhood Phishing via Account Creation Abuse
Investment platform Robinhood confirmed that cybercriminals exploited a vulnerability in its account creation process to send legitimate-looking phishing emails to users over the weekend. The emails originated from ‘[email protected]’ with the subject line “Your recent login to Robinhood.”
Attackers leveraged Gmail’s “dot trick,” where Gmail ignores periods in usernames while Robinhood treats each variation as distinct. This allowed creation of new accounts that Gmail would route to existing addresses. During signup, attackers injected malicious HTML code containing phishing links into device name fields.
The manipulation triggered legitimate login notification emails from Robinhood’s systems that rendered unsanitized HTML, embedding clickable phishing links. Robinhood stated this was not a breach of systems or customer accounts, and personal information and funds were not impacted.
https://x.com/AskRobinhood/status/2048649252352487683
What This Means
This week’s disclosures highlight the persistent challenge of securing complex software infrastructure. The GitHub vulnerability demonstrates how a single injection flaw can expose massive amounts of data across shared infrastructure. The cPanel zero-day’s months-long exploitation window shows how critical vulnerabilities can remain undetected in widely-deployed software.
The rapid exploitation of LiteLLM within 36 hours of public disclosure underscores the need for immediate patching of AI infrastructure components. Organizations using these platforms should prioritize updates and implement additional monitoring for unusual authentication patterns.
The diversity of attack vectors — from infrastructure protocols to package managers to social engineering — reinforces the importance of defense-in-depth strategies that don’t rely on single security controls.
FAQ
How quickly should organizations patch these vulnerabilities?
Immediate patching is critical for all five vulnerabilities. GitHub and LiteLLM fixes should be applied within 24 hours, while cPanel users should update immediately given the months-long exploitation window.
Are there workarounds if immediate patching isn’t possible?
For cPanel, hosting providers have blocked access as a temporary measure. PackageKit users can disable the service if not required. GitHub Enterprise customers should restrict repository access until patching.
How can organizations detect if they’ve been compromised?
Monitor authentication logs for unusual patterns, check database access logs for unexpected queries, and review email systems for suspicious account creation activities. GitHub and cPanel provide specific indicators of compromise in their advisories.
Sources
- Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months – SecurityWeek
- Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access – SecurityWeek
- Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure – SecurityWeek
- Critical GitHub Vulnerability Exposed Millions of Repositories – SecurityWeek
- Robinhood Vulnerability Exploited for Phishing Attacks – SecurityWeek
