CVE-2026-28292

Summary

simple-git, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.

Affected Software

VendorProductVersion RangeStatus
steveukxsimple-git>= 3.15.0, < 3.32.3affected

Weaknesses

  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-178: CWE-178: Improper Handling of Case Sensitivity

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

Additional References

simple-git: simple-git: Remote Code Execution via bypass of prior security fixes

Additional References

References