CVE-2026-6951
CriticalCVSS 9.8Exploitation Probability (EPSS)
Elevated risk54th percentile — higher than 54% of all known CVEs
Summary
A vulnerability in the simple-git package before version 3.36.0 allows Remote Code Execution (RCE) due to an incomplete fix for CVE-2022-25912. The fix blocked the -c option but not the equivalent --config form, enabling an attacker to use the ext:: protocol for code execution.
Risk Assessment
The risk for the organization is that an attacker can supply untrusted input to the options argument of simple-git, potentially leading to full server compromise, data theft, or further attacks. This can result in complete control over the affected system.
Recommendation
Immediately update the simple-git package to version 3.36.0 or later. Additionally, validate and sanitize all user input passed to git functions to prevent injection of malicious options.
Original NVD description (English source)
Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.

