Vulnerability Details CVE-2026-6951
Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.011
EPSS Ranking 61.3%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2026-6951
-
cpe:2.3:a:simple-git_project:simple-git:3.15.0
-
cpe:2.3:a:simple-git_project:simple-git:3.15.1
-
cpe:2.3:a:simple-git_project:simple-git:3.16.0
-
cpe:2.3:a:simple-git_project:simple-git:3.16.1
-
cpe:2.3:a:simple-git_project:simple-git:3.17.0
-
cpe:2.3:a:simple-git_project:simple-git:3.18.0
-
cpe:2.3:a:simple-git_project:simple-git:3.19.0
-
cpe:2.3:a:simple-git_project:simple-git:3.19.1
-
cpe:2.3:a:simple-git_project:simple-git:3.20.0
-
cpe:2.3:a:simple-git_project:simple-git:3.21.0
-
cpe:2.3:a:simple-git_project:simple-git:3.22.0
-
cpe:2.3:a:simple-git_project:simple-git:3.23.0
-
cpe:2.3:a:simple-git_project:simple-git:3.24.0
-
cpe:2.3:a:simple-git_project:simple-git:3.25.0
-
cpe:2.3:a:simple-git_project:simple-git:3.26.0
-
cpe:2.3:a:simple-git_project:simple-git:3.27.0
-
cpe:2.3:a:simple-git_project:simple-git:3.28.0
-
cpe:2.3:a:simple-git_project:simple-git:3.30.0
-
cpe:2.3:a:simple-git_project:simple-git:3.31.1
-
cpe:2.3:a:simple-git_project:simple-git:3.32.0
-
cpe:2.3:a:simple-git_project:simple-git:3.32.1
-
cpe:2.3:a:simple-git_project:simple-git:3.32.2
-
cpe:2.3:a:simple-git_project:simple-git:3.32.3
-
cpe:2.3:a:simple-git_project:simple-git:3.33.0