Skip to main content

Simple Git

5 CVEs product

Monthly

CVE-2026-6951 npm HIGH PATCH GHSA This Week

Remote code execution in simple-git before 3.36.0 allows unauthenticated attackers to execute arbitrary commands via incomplete sanitization of command-line options. The vulnerability bypasses the prior CVE-2022-25912 fix by accepting --config instead of the blocked -c flag, enabling protocol.ext.allow=always configuration and malicious ext:: URLs. Publicly available exploit code exists (POC confirmed), with EPSS score of 0.08% indicating low current exploitation probability despite the theoretical severity. SSVC framework classifies this as automatable with total technical impact.

Code Injection RCE Simple Git
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-28292 npm CRITICAL POC PATCH GHSA Act Now

simple-git Node.js library has a command injection vulnerability (EPSS with patch) enabling RCE when processing untrusted git operations.

Node.js RCE Command Injection Simple Git
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2022-25912 npm CRITICAL POC PATCH Act Now

The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Command Injection Simple Git
NVD GitHub
CVSS 3.1
9.8
EPSS
2.8%
CVE-2022-24066 npm CRITICAL POC PATCH Act Now

The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Simple Git
NVD GitHub
CVSS 3.1
9.8
EPSS
4.1%
CVE-2022-24433 npm CRITICAL PATCH Act Now

The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Command Injection Simple Git
NVD GitHub
CVSS 3.1
9.8
EPSS
3.6%
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Remote code execution in simple-git before 3.36.0 allows unauthenticated attackers to execute arbitrary commands via incomplete sanitization of command-line options. The vulnerability bypasses the prior CVE-2022-25912 fix by accepting --config instead of the blocked -c flag, enabling protocol.ext.allow=always configuration and malicious ext:: URLs. Publicly available exploit code exists (POC confirmed), with EPSS score of 0.08% indicating low current exploitation probability despite the theoretical severity. SSVC framework classifies this as automatable with total technical impact.

Code Injection RCE Simple Git
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

simple-git Node.js library has a command injection vulnerability (EPSS with patch) enabling RCE when processing untrusted git operations.

Node.js RCE Command Injection +1
NVD GitHub VulDB
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Command Injection Simple Git
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL POC PATCH Act Now

The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Simple Git
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Command Injection Simple Git
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy