CVE-2026-28292
CriticalCVSS 9.8Exploitation Probability (EPSS)
Elevated risk67th percentile - higher than 67% of all known CVEs
Summary
The `simple-git` library for Node.js versions 3.15.0 through 3.32.2 contains a vulnerability that bypasses fixes for CVE-2022-25860 and CVE-2022-25912. An attacker can exploit this to achieve remote code execution on the host.
Risk Assessment
The risk to the organization is critical as an attacker can take over the application server, steal data, or install malware without authentication.
Recommendation
Immediately update the `simple-git` library to version 3.23.0 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.

