GNU Savannah Patched After Reported Vulnerabilities Triggered Service Disruption
GNU Savannah, the software forge and hosting platform used by GNU and other free software projects, suffered a security incident that disrupted services and forced administrators to take systems offline while recovery work proceeded. The Free Software Foundation said security researchers from Hacktron had reported vulnerabilities in early May and demonstrated an exploit, after which FSF, GNU, and volunteer staff patched all reported issues along with additional security problems submitted during the review.
FSF said its investigation found no evidence that sensitive project data or credentials were accessed and no indication that Savannah’s software supply chain was compromised. Service was later restored in stages, with some functions remaining limited during recovery, and FSF said it would take additional precautionary steps, notify Savannah-hosted projects and other Savane operators, and publish a fuller incident report within 30 days.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
FSF issues statement on Savannah security reports
On June 19, 2026, FSF stated that it found no evidence sensitive project data or credentials were accessed and no indication Savannah’s software supply chain was compromised. It also said it would take additional precautionary steps, contact hosted projects and other Savane operators, and publish a fuller incident report within 30 days.
FSF patches all reported GNU Savannah issues
After receiving the reports, FSF said it worked with the researchers and GNU/FSF volunteers and staff to patch all reported vulnerabilities, including additional security issues later submitted by the researchers.
Hacktron reports Savannah vulnerabilities and demonstrates exploit
The Free Software Foundation said security researchers from Hacktron reported vulnerabilities in GNU Savannah in early May and demonstrated an exploit against the platform.
GNU Savannah services begin returning after restoration work
Following the prolonged outage, GNU Savannah resumed operation after recovery efforts, with some services restored gradually and others still limited or returning in stages.
GNU Savannah disruption leads administrators to take systems offline
GNU Savannah suffered a compromise-related service disruption that led administrators to take systems offline while they investigated and began restoration work. The outage affected infrastructure used to host and manage GNU and other free software projects.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Statement regarding GNU Savannah security reports - Free Software Foundation - Working together for free software
fsf.org
Open source���� ��� ����������� � ����������� ���������� � �������� ���������� ���� GNU Savannah
opennet.me
Open source���� ��� ����������� � ����������� ���������� � �������� ���������� ���� GNU Savannah
opennet.ru
Open sourceStatement regarding GNU Savannah security reports - Free Software Foundation - Working together for free software
fsf.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
GitHub Enterprise Server patches critical SSRF and Dirty Frag privilege escalation flaws
GitHub released urgent security updates for GitHub Enterprise Server to fix multiple severe vulnerabilities affecting versions `3.16` through `3.20`, led by **CVE-2026-9312**, a critical pre-authentication SSRF flaw in an upload endpoint. The bug allowed unauthenticated attackers to craft requests with path traversal content and force the appliance to make internal HTTP requests, potentially exposing internal services, credentials, and configuration data. GitHub said the issue was reported through its bug bounty program and remediated in `3.16.20`, `3.17.17`, `3.18.11`, `3.19.8`, `3.20.4`, and `3.21.1`. The updates also address the high-severity Linux kernel local privilege-escalation flaws **CVE-2026-43284** and **CVE-2026-43500**, known as **Dirty Frag**, which could let a local user gain root on vulnerable appliances. Additional fixes and hardening cover a timing side-channel issue and another SSRF-related weakness tied to package and notebook-related functionality, including environments with GitHub Packages enabled or private mode disabled. GitHub revoked the signing key for GHES release packages and instructed administrators to rotate trusted local GPG public keys before installing the patched releases, urging rapid upgrades for internet-facing and shared multi-tenant deployments.
May 27, 2026
Coordinated Vendor Patch Advisories for Enterprise Software and Linux Kernel
The Canadian Centre for Cyber Security issued multiple **alerts and advisories** urging organizations to apply vendor patches for newly disclosed vulnerabilities across widely deployed enterprise platforms, including **Splunk** (Enterprise, Cloud Platform, Universal Forwarder, and *DB Connect* prior to `4.2.0`), **GitHub Enterprise Server** (patched releases `3.19.2`, `3.18.5`, `3.17.11`, `3.16.14`, `3.15.18`, `3.14.23`), **Jenkins** (Weekly `2.550` and prior; LTS `2.541.1` and prior), and **Atlassian** products (**Bamboo**, **Confluence**, and **Crowd** Data Center/Server across multiple versions). The advisories are framed as patch-and-mitigate guidance rather than incident reporting, emphasizing rapid update adoption to reduce exposure. Additional vendor guidance highlighted kernel-level risk and security tooling exposure. **Tenable** released a critical update for **Tenable Security Center** (`6.7.2` and prior) via stand-alone patches, and **Red Hat** published multiple advisories (Feb 9–15) including **Linux kernel** fixes across several RHEL-related offerings (e.g., *Red Hat Enterprise Linux* and *CodeReady Linux Builder*). Separately, F5 tracked a **Linux kernel vulnerability** identified as **CVE-2025-22026** in its product advisory, reinforcing the need to prioritize kernel patching where affected components are present.
Mar 21, 2026
Multiple Critical Vulnerability Disclosures Across Gogs, Jinjava, and Kubernetes Local Path Provisioner
Several **high-severity vulnerability disclosures** were published across widely used developer and infrastructure components, with impacts ranging from **remote code execution (RCE)** to **account takeover** and **arbitrary host file writes**. In *Gogs* (self-hosted Git service), three CVEs were reported: **CVE-2025-64111** (CVSS 9.3) enables RCE by bypassing checks in `UpdateRepoFile` to modify `.git/config` via the API (described as an insufficient fix for an earlier issue); **CVE-2025-64175** (CVSS 7.7) allows a **cross-account 2FA recovery-code bypass** in versions `0.13.3` and earlier if an attacker already has a victim’s username/password; and **CVE-2026-24135** (CVSS 7.2) is a wiki rename path traversal that can delete arbitrary files by manipulating `old_title`. Separately, *Jinjava* (HubSpot CMS template engine) disclosed **CVE-2026-25526** (CVSS 9.8), a sandbox escape chain that permits arbitrary Java code execution by abusing `ForTag` iteration behavior (Bean ELResolver restriction bypass) and `ObjectMapper`-based JSON deserialization to instantiate disallowed classes. A critical Kubernetes storage issue was also disclosed in *Kubernetes Local Path Provisioner*: **CVE-2025-62878** (CVSS 10.0) allows directory traversal via the `parameters.pathPattern` setting, enabling a user who can create storage resources to provision volumes in arbitrary host locations (e.g., `/etc`) and potentially overwrite sensitive files on cluster nodes. In parallel to these product flaws, separate research reported widespread **exposure of Git metadata** on the public internet—approximately **4.96 million** IPs with accessible `.git` directories and **250,000+** exposing `.git/config` files that may contain deployment credentials—highlighting a common, high-impact misconfiguration pattern that can enable source code reconstruction and secret theft. Active exploitation activity was reported for *Ivanti Endpoint Manager Mobile (EPMM)* involving **CVE-2026-1281** and **CVE-2026-1340**, where attackers were observed dropping `/mifs/403.jsp` and using a Base64-delivered Java class loader designed for delayed, in-memory activation rather than immediate interactive webshell use.
Mar 21, 2026