I assume a fair amount of these on-prem customers restrict access to their GHES instance to be behind corporate VPN or something similar and are planning a date to upgrade their instance that won't affect operations.

Any public instance should update immediately though, it's not very hard to put together how to repro the vulnerability on your own from what they provide in the article and the fact that GitHub Enterprise source is publicly available.

For sure - the last company I worked at that had GitHub Enterprise had it running on a private network only accessible within the company.

Yeah, but this still gives any employee RCE on the GHES server right?

I suppose so. The company invested pretty heavily in security tooling, though I think it wouldn't have been hard to do something to bypass the security for internal servers.

The tweet is confusing and makes it sound like the RCE was as simple as `git push -o "x;`whatever command`"`, but there are a few more things they have to specify that they mention in their blog post: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-38...

It doesn't look like it's very hard to reproduce or find the bug now (especially with the details they mention in their blog post) but I assume they did not want to publish the actual command line. It looks like it affected both GitHub.com and GitHub Enterprise, and it does look like it literally took one git push command.

It's interesting that Next is becoming so popular when LLMs supposedly have a capability to work with all these other frameworks that don't create a dependency on something like Vercel.

You don't have to use Vercel to run NextJS though

I heard that JWTs are 5x the price of JSON tokens but only 3x if you have JSON ForULTRA+ (new) (for work or school).

The more you buy, the more you save!

That makes sense, because JWT is base64 encoded, and those base64 tokens are bigger and more expensive. JWT has 3 parts, so it's 3x more expensive, obviously.

Legally speaking that's for entertainment purposes only

You have to add the final "]" or "}" yourself but json strings are free!

I just bought 30.000 JWT

HODL

Fortunately, Microsoft C# Copilot 2 Pro is already bundled with JSON forULTRA+ for free. (Not to be confused with Microsoft C# Copilot Pro)

Are you talking about the Copilot 2 Legacy But Also Preview version? Because my TPM module’s circuit board orientation doesn’t support that yet.

It has been up and down today, specifically with authentication breaking. I also saw an error message with backend SQL in it (in my 6 years of Meta bug bounty security research, I have never once seen backend SQL before).

I suspect it is because they also refactored Meta AI entirely to use Next.js instead of their normal stack they use for literally everything else. Not sure why they would do this, but I guess it works (...or maybe not) for them.

I guess this means the listener for Hey Siri requests has to be inside of the exclave/conclave to avoid triggering the mic indicator light 24/7 or leaking microphone data? I assume this means the code has to be able to be updated through various macOS/iOS updates and is not immutable, so I do wonder how the code signature verification for that works (since I assume the code signing checks would have to be done at a hardware/bootloader level above the kernel)

I also assume this means you can't put the mouse cursor over the camera indicator as well since that can be controlled by the kernel/host (if someone here has a Macbook Neo pls confirm).

Can confirm; the cursor goes "beneath" the camera/mic indicator on the MacBook Neo.

What happens when you screen share - does those pixels show as active or the kernel cannot read the state of those pixels and the capture has the video memory state?