CVE-2026-28291

simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for...

CVE-2026-28291

CVE-2026-28291 affects the Node.js package simple-git up to version 3.31.1, where an attacker can execute arbitrary commands by abusing Git option parsing. The flaw stems from an incomplete fix for CVE-2022-25860: Git’s flexible option parsing allows combinations such as -vu, -4u, -nu to bypass t...

3extensions (=1.0.1), @51jbs/incremental-coverage-plugin (=1.0.5) +508 more potentially affected by CVE-2022-25860 +1 more via simple-git (>=3.0.3 <=3.31.1)

simple-git NPM version =3.0.3, =1.0.1, =1.0.1, =0.0.0-ad-beta.1, =0.0.0-aj-beta.3, =23.0.0, =35.0.0, =1.4.0, =0.1.5-alpha.0, =1.0.2, =8.7.2, =0.0.1, =0.0.8 and more Source cves: CVE-2022-25860, CVE-2026-28291 Source advisory: SNYK:JS-SIMPLEGIT-16032290...

Command Injection

Overview simple-git is a light weight interface for running git commands in any node.js application. Affected versions of this package are vulnerable to Command Injection through improper option parsing in the clone method. An attacker can execute arbitrary system commands by supplying specially...

1508-cli (>=1.0.4 <=1.0.6), 3extensions (=1.0.1) +4910 more potentially affected by CVE-2022-25860 +1 more via simple-git (>=0.10.0 <=3.31.1)

simple-git NPM version =0.10.0, =1.0.4, =1.0.0, =0.0.80, =1.0.0, =2.0.0, =0.0.0, =0.0.1, =0.0.1, =0.0.5, =0.0.5, =0.0.5, =0.0.5, =0.1.16 and more Source cves: CVE-2022-25860, CVE-2026-28291 Source advisory: OSV:GHSA-JCXM-M3JX-F287...

EUVD-2026-22026

simple-git Affected by Command Execution via Option-Parsing Bypass...

org.webjars.npm:g-status (=2.0.2), org.webjars.npm:graphql-toolkit__git-loader (=0.7.5) potentially affected by CVE-2022-25860 +1 more via org.webjars.npm:simple-git (>=1.129.0 <=1.132.0)

org.webjars.npm:simple-git MAVEN version =1.129.0, =1.132.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:simple-git and may be impacted: - org.webjars.npm:g-status =2.0.2 - org.webjars.npm:graphql-toolkitgit-loader =0.7.5 Source cves...

GHSA-JCXM-M3JX-F287 simple-git Affected by Command Execution via Option-Parsing Bypass

Summary simple-git enables running native Git commands from JavaScript. Some commands accept options that allow executing another command; because this is very dangerous, execution is denied unless the user explicitly allows it. This vulnerability allows a malicious actor who can control the...

Command Injection

Overview org.webjars.npm:simple-git is an A light weight interface for running git commands in any node.js application. Affected versions of this package are vulnerable to Command Injection through improper option parsing in the clone method. An attacker can execute arbitrary system commands by...

simple-git Affected by Command Execution via Option-Parsing Bypass

Summary simple-git enables running native Git commands from JavaScript. Some commands accept options that allow executing another command; because this is very dangerous, execution is denied unless the user explicitly allows it. This vulnerability allows a malicious actor who can control the...

Simple Git 操作系统命令注入漏洞

Simple Git is a lightweight interface developed by Steve King from the UK. It is used to execute Git commands within any Node.js application. Versions of Simple Git 3.31.1 and earlier contained a vulnerability related to operating system command injection. This vulnerability stemmed from a bypass...

Linux Distros Unpatched Vulnerability : CVE-2026-28291

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option...

TencentOS Server 4: grafana (TSSA-2026:0177)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2026:0177 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

SUSE CVE-2026-28292

simple-git, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes CVE-2022-25860 and CVE-2022-25912 and achieve full remote code execution on the host machine. Version 3.23.0 contains ...

Linux Distros Unpatched Vulnerability : CVE-2026-28292

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - simple-git, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass t...

CVE-2026-28292

simple-git, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes CVE-2022-25860 and CVE-2022-25912 and achieve full remote code execution on the host machine. Version 3.23.0 contains ...

EUVD-2026-10790

simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE...

Improper Handling of Case Sensitivity

Overview org.webjars.npm:simple-git is an A light weight interface for running git commands in any node.js application. Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the preventProtocolOverride function, which fails to properly validate...

Improper Handling of Case Sensitivity

Overview simple-git is a light weight interface for running git commands in any node.js application. Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the preventProtocolOverride function, which fails to properly validate case-insensitive configuration...

GHSA-R275-FR43-PM7Q simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE

Summary The blockUnsafeOperationsPlugin in simple-git fails to block git protocol override arguments when the config key is passed in uppercase or mixed case. An attacker who controls arguments passed to git operations can enable the ext:: protocol by passing -c PROTOCOL.ALLOW=always, which...