CVE Catalog

CVE-2026-28292

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.30%

67th percentile - higher than 67% of all known CVEs

Summary

The `simple-git` library for Node.js versions 3.15.0 through 3.32.2 contains a vulnerability that bypasses fixes for CVE-2022-25860 and CVE-2022-25912. An attacker can exploit this to achieve remote code execution on the host.

Risk Assessment

The risk to the organization is critical as an attacker can take over the application server, steal data, or install malware without authentication.

Recommendation

Immediately update the `simple-git` library to version 3.23.0 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS