Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
simple-git: Malicious Git Commands Can Execute Code on Your Server
CVE-2026-28292
GHSA-r275-fr43-pm7q
GHSA-r275-fr43-pm7q
Summary
Versions 3.15.0 through 3.32.2 of simple-git have a security flaw that lets attackers use Git commands to run malicious code on your server. This means that if your application uses these versions, an attacker could potentially take control of your server. Update to version 3.23.0 or later to fix the issue.
What to do
- Update simple-git to version 3.32.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | simple-git | > 3.15.0 , <= 3.32.3 | 3.32.3 |
| simple-git_project | simple-git | > 3.15.0 , <= 3.32.2 | – |
Original title
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 ...
Original description
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
nvd CVSS3.1
9.8
Vulnerability type
CWE-78
OS Command Injection
CWE-178
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026