GNU Savannah, a massive library for essential open-source computer code, has fixed a bug that left it vulnerable to hackers for two years.
The Free Software Foundation (FSF), which runs the Savannah platform, fixed the issue after an AI code-review tool named Hacktron discovered it in May 2026. The vulnerability had been hiding in the platform’s software since an update two years ago. The FSF plans to share a detailed report about the bug next month.
Savannah is a major target for cybercriminals. It hosts the core building blocks for Linux operating systems. If hackers had managed to secretly change the code stored there, those changes could have automatically downloaded and infected billions of computers worldwide.
Luckily, after a deep check of their systems, the FSF found no signs that anyone actually stole data or tampered with the software.
While the bug is fixed, Savannah is currently fighting off a different problem. The FSF stated the site is dealing with heavy web traffic overloads (DDoS attacks), which they believe are being caused by AI companies aggressively scraping the platform to collect training data.
