cbcvebase.
CVE-2026-28292
published 2026-03-10

CVE-2026-28292: `simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.30%
66.8th percentile
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
simple-git_projectsimple-git>= 3.15.0 < 3.32.23.32.2
simple-git_projectsimple-git>= 3.15.0 < 3.32.33.32.3

Detection & IOCsextracted from sources · hover to see the quote

  • Attacker injects configuration options that re-enable the Git ext:: protocol handler to execute arbitrary external commands through the Git client
  • Vulnerable simple-git versions are 3.15.0 through 3.32.2; monitor for use of these versions in Node.js applications accepting untrusted repository URLs or git arguments
  • ·This CVE bypasses prior fixes for CVE-2022-25860 and CVE-2022-25912; environments that applied only those earlier patches remain vulnerable if running simple-git 3.15.0–3.32.2
  • ·The root cause is improper validation of user-supplied input when constructing Git commands; any simple-git operation (clone, fetch, etc.) that accepts untrusted input is a potential attack surface
  • ·Red Hat has marked several OpenShift Logging packages as 'Will not fix', meaning those deployments remain permanently exposed unless upstream simple-git is updated independently
  • ·No mitigation meeting Red Hat Product Security criteria is currently available for affected packages

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.