Critical severity9.8NVD Advisory· Published Mar 10, 2026· Updated Apr 14, 2026
CVE-2026-28292
CVE-2026-28292
Description
simple-git, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
simple-gitnpm | >= 3.15.0, < 3.32.3 | 3.32.3 |
Affected products
3- cpe:2.3:a:simple-git_project:simple-git:*:*:*:*:*:node.js:*:*Range: >=3.15.0,<3.32.2
- ghsa-coords2 versions
>= 3.15.0, < 3.32.3+ 1 more
- (no CPE)range: >= 3.15.0, < 3.32.3
- (no CPE)range: < 2.20.1-3.1
Patches
Vulnerability mechanics
References
6- github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257nvdPatchWEB
- www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-r275-fr43-pm7qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28292ghsaADVISORY
- github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7qnvdWEB
- www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292nvdWEB
News mentions
0No linked articles in our index yet.