Major GNU software repository Savannah fixes 2-year flaw that left the platform exposed

Published: 22 June 2026
Last updated: 1 hour ago
gnu savannah
Image by Cybernews.

GNU Savannah, a major platform for developing and distributing free software, said it had patched exploitable flaws that left it vulnerable for roughly 2 years.

Key takeaways:
  • GNU Savannah patched critical flaws exposed for 2 years
  • No evidence of supply chain or data compromise found
  • Hacktron AI platform discovered the vulnerabilities earlier this May

The Free Software Foundation (FSF), which runs Savannah, disclosed the “incident” that left the platform exposed to external tampering.

ADVERTISEMENT

“After thorough review, we have found no reason to believe that sensitive project data or credentials were accessed, nor that there has been any compromise of Savannah's software supply chain,” FSF assures.

Savannah is the forge for official GNU packages, and it also hosts 3,351 other free software and documentation packages. GNU is a core collection of tools for Linux as well as some other UNIX-like operating systems – from text editors to compilers – without which they could not function as operating systems.

“This body of software has become essential to millions (if not billions) of users around the world. We are therefore taking additional precautionary steps,” FSF said.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

The initial notice doesn’t provide any details about the exploits, only that they were reported and demonstrated by Hacktron, an AI-powered code review platform, in early May. The vulnerabilities affect software released 2 years ago. FSF plans on releasing a more detailed report within 30 days.

“We will be communicating directly with Savannah-hosted projects about steps they can take to review and strengthen the security of their projects,” the statement reads.

The foundation patched the bugs and assisted other instances of Savane (the software that powers Savannah) in reviewing and protecting their environments.

For threat actors, Savannah is an exceptionally high-value target, as compromising the source code of core software could compromise billions of systems downstream.

ADVERTISEMENT

FSF previously cautioned that the platform has been under sustained DDoS attacks, likely originating from AI companies that use botnets to scrape datasets for training large language models.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Nadella scoffs at AI giants as Microsoft may host China’s DeepSeek
Cruel cyber training in Canada: testing if exhausted employees would fall for a 'day off' scam
Cloudflare gives AI agents temporary accounts to deploy websites without human logins
Developers giving attackers a free ride after hundreds of iPhone AI apps found exposing credentials
This tiny European country is pioneering digital ID for AI agents
Canadian lender TD tells some employees it will use software to monitor their work
ADVERTISEMENT