CVE-2026-6951

Summary

Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for CVE-2022-25912 that blocks the -c option but not the equivalent –config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.

Affected Software

VendorProductVersion RangeStatus
n/asimple-git0 < 3.36.0affected
n/aorg.webjars.npm:simple-git0 < *affected

Weaknesses

  • CWE-94: Remote Code Execution (RCE)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

Additional References

simple-git: simple-git: Remote Code Execution due to incomplete fix bypass

Additional References

References