Remote Code Execution Vulnerability in Simple-Git by Simple Git
CVE-2026-6951

9.2CRITICAL

Key Information:

Vendor: Simple Git
Status: Simple-git
Vendor: CVE Published:; 25 April 2026

What is CVE-2026-6951?

Versions of the Simple-Git package prior to 3.36.0 are impacted by a Remote Code Execution vulnerability due to an incomplete patch for a previous security issue. The vulnerability arises because the code does not adequately block the use of the --config option, allowing attackers to send untrusted input to the options argument. This can lead to remote code execution if the protocol.ext.allow is set to always and malicious external sources are utilized. Users are advised to upgrade to the latest version to mitigate the risk.

Affected Version(s)

simple-git 0 < 3.36.0

References

https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078

https://gist.github.com/KKC73/02d1d97f3410756095b501fda0a...

https://github.com/steveukx/git-js/commit/89a2294febed5df...

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 25, 2026
Vulnerability Reserved
Apr 24, 2026

Credit

Kuycheu Kung

CVE-2026-6951 Data

JSON