CVE-2026-28292
- Source
- https://cve.org/CVERecord?id=CVE-2026-28292
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28292.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-28292
- Aliases
- Downstream
- Related
- Published
- 2026-03-10T18:34:21.717Z
- Modified
- 2026-03-14T13:50:48.275845Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
- Details
-
simple-git, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-178", "CWE-78" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28292.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28292.json
- https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257
- https://nvd.nist.gov/vuln/detail/CVE-2026-28292
- https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292
Affected packages
Git / github.com/steveukx/git-js
Affected versions
simple-git@3.*
simple-git@3.15.0
simple-git@3.15.1
simple-git@3.16.0
simple-git@3.16.1
simple-git@3.17.0
simple-git@3.18.0
simple-git@3.19.0
simple-git@3.19.1
simple-git@3.20.0
simple-git@3.21.0
simple-git@3.22.0
simple-git@3.23.0
simple-git@3.24.0
simple-git@3.25.0
simple-git@3.26.0
simple-git@3.27.0
simple-git@3.28.0
simple-git@3.30.0
simple-git@3.31.1
simple-git@3.32.0
simple-git@3.32.1
simple-git@3.32.2