CVE Catalog

CVE-2026-6951

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.88%

54th percentile — higher than 54% of all known CVEs

Summary

A vulnerability in the simple-git package before version 3.36.0 allows Remote Code Execution (RCE) due to an incomplete fix for CVE-2022-25912. The fix blocked the -c option but not the equivalent --config form, enabling an attacker to use the ext:: protocol for code execution.

Risk Assessment

The risk for the organization is that an attacker can supply untrusted input to the options argument of simple-git, potentially leading to full server compromise, data theft, or further attacks. This can result in complete control over the affected system.

Recommendation

Immediately update the simple-git package to version 3.36.0 or later. Additionally, validate and sanitize all user input passed to git functions to prevent injection of malicious options.

Original NVD description (English source)

Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS