CVE-2026-28292
Received Received - Intake
Remote Code Execution in simple-git via Patch Bypass

Publication date: 2026-03-10

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28292
EUVD
EUVD-2026-10790
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
simple-git_project simple-git From 3.15.0 (inc) to 3.32.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can have a severe impact as it allows an attacker to achieve full remote code execution on the affected host machine. This means the attacker can run any code they choose with the same privileges as the application using simple-git, potentially leading to data theft, system compromise, or further attacks within the network.

Executive Summary

The vulnerability exists in the simple-git library, which is used to run git commands within node.js applications. Versions 3.15.0 through 3.32.2 have a security flaw that allows an attacker to bypass two previous fixes (CVE-2022-25860 and CVE-2022-25912). This bypass enables the attacker to execute arbitrary code remotely on the host machine where the vulnerable simple-git version is running.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the simple-git package to version 3.23.0 or later, as this version contains an updated fix that addresses the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28292. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart