CVE-2026-28292

CRITICAL

simple-git 3.15.0-3.32.2 - Remote Code Execution

Title source: manual

Description

`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.

References (4)

Core 4

Core References

Patch x_refsource_misc

https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257

View Patch ZIP pw:eip

Various Sources x_refsource_misc

https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292

X_Refsource_Confirm x_refsource_confirm

https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7q

Various Sources

https://www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292

Scores

CVSS v3 9.8

EPSS 0.0127

EPSS Percentile 65.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-178 CWE-78

Status published

Products (3)

npm/simple-git 3.15.0 - 3.32.3npm

simple-git_project/simple-git 3.15.0 - 3.32.2

steveukx/simple-git >= 3.15.0, < 3.32.3

Published Mar 10, 2026

Tracked Since Mar 11, 2026