CVE-2026-6951
published 2026-04-25CVE-2026-6951: Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.88%
54.5th percentile
Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grafana | grafana | — | — |
| simple-git_project | simple-git | — | — |
| simple-git_project | simple-git | >= 0 < 3.36.0 | 3.36.0 |
| simple-git_project | simple-git | >= 3.15.0 < 3.36.0 | 3.36.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Attacker bypasses the `-c` option block by using the equivalent `--config` form to pass git configuration options via the simple-git options argument ↗
- →Detect git clone operations where `protocol.ext.allow=always` is set via `--config`, which enables the dangerous ext:: protocol ↗
- →Monitor for use of `ext::` scheme in git clone source URLs, which allows arbitrary command execution via git's external protocol handler ↗
- →Flag any untrusted input reaching the `options` argument of simple-git calls, particularly strings containing `--config` or `protocol.ext.allow` ↗
- ·Affected packages include simple-git < 3.36.0 as well as downstream consumers: grafana (RHEL 8/9), simple-git in Red Hat JBoss EAP 8, JBoss EAP Expansion Pack, and Red Hat Process Automation 7 ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.8CRITICAL
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
simple-git is vulnerable to Remote Code Execution
ghsa·2026-04-25·CVSS 9.8
CVE-2026-6951 [CRITICAL] CWE-94 simple-git is vulnerable to Remote Code Execution
simple-git is vulnerable to Remote Code Execution
Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.
VulDB
steveukx simple-git up to 3.35.x code injection (SNYK-JS-SIMPLEGIT-15456078 / EUVD-2026-25639)
vuldb·2026-04-25·CVSS 9.2
CVE-2026-6951 [CRITICAL] steveukx simple-git up to 3.35.x code injection (SNYK-JS-SIMPLEGIT-15456078 / EUVD-2026-25639)
A vulnerability classified as critical has been found in steveukx simple-git up to 3.35.x. Affected is an unknown function. Performing a manipulation results in code injection.
This vulnerability is cataloged as CVE-2026-6951. It is possible to initiate the attack remotely. There is no exploit available.
It is recommended to upgrade the affected component.
Red Hat
simple-git: simple-git: Remote Code Execution due to incomplete fix bypass
vendor_redhat·2026-04-25·CVSS 8.2
CVE-2026-6951 [HIGH] CWE-88 simple-git: simple-git: Remote Code Execution due to incomplete fix bypass
simple-git: simple-git: Remote Code Execution due to incomplete fix bypass
A flaw was found in simple-git. A remote attacker could exploit this vulnerability by providing specially crafted input to the options argument, bypassing a previous security fix. This incomplete fix allows an attacker to enable certain protocol extensions, which could lead to remote code execution.
Statement: This Important flaw in the `simple-git` library allows for Remote Code Execution when untrusted input is passed to the options argument. An attacker could bypass a previous security fix by enabling specific protocol extensions, leading to arbitrary code execution.
Package: grafana (Red Hat Enterprise Linux 8) - Affected
Package: grafana (Red Hat Enterprise Linux 9) - Affected
Package: simple-git (Red Hat
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-43057 kernel: net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback
bugzilla·2026-05-01
CVE-2026-43057 [MEDIUM] CVE-2026-43057 kernel: net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback
CVE-2026-43057 kernel: net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback
In the Linux kernel, the following vulnerability has been resolved:
net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback
NETIF_F_IPV6_CSUM only advertises support for checksum offload of
packets without IPv6 extension headers. Packets with extension
headers must fall back onto software checksumming. Since TSO
depends on checksum offload, those must revert to GSO.
The below commit introduces that fallback. It always checks
network header length. For tunneled packets, the inner header length
must be checked instead. Extend the check accordingly.
A special case is tunneled packets without inner IP protocol. Such as
RFC 6951 SCTP in UDP. Those are not standard IPv6 followed by
transport hea
Bugzilla
CVE-2026-6951 simple-git: simple-git: Remote Code Execution due to incomplete fix bypass
bugzilla·2026-04-25·CVSS 9.8
CVE-2026-6951 [CRITICAL] CVE-2026-6951 simple-git: simple-git: Remote Code Execution due to incomplete fix bypass
CVE-2026-6951 simple-git: simple-git: Remote Code Execution due to incomplete fix bypass
Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.
https://gist.github.com/KKC73/02d1d97f3410756095b501fda0ac8ca6https://github.com/steveukx/git-js/commit/89a2294febed5dfe737c4c735d936bb6018746a8https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-16300211https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078https://access.redhat.com/security/cve/CVE-2026-6951https://bugzilla.redhat.com/show_bug.cgi?id=2461750https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6951.jsonhttps://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078
2026-04-25
Published