New video on the “AppSec Untangled” YouTube channel!
In this video, I do a deep dive into CVE-2026–3854 — a critical RCE in GitHub where a single git push command with a carefully crafted option was enough to execute code on GitHub’s backend and access millions of private repositories belonging to other customers 
I also cover 4 practical lessons we can take from this as application security engineers:
Input validation — and why it needs to apply at every level of nesting, not just the outer layer
Why SAST wouldn’t have caught this — and what to do instead
Least privilege — scoping down credentials to limit blast radius
Tenant isolation — and why application-level isolation isn’t always enough
Hope you find it useful!
Link 
: https://youtu.be/XPcTuNEPLu0