VDB
CVE-2026-28292
CVE-2026-28292
PUBLISHED
CVSS 9.800000190734863 CRITICAL
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
EPSS 0.15% · 34.8th percentile
Risk Scores
CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.15%
34.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| steveukx | simple-git | >= 3.15.0, < 3.32.3, >= 3.15.0, < 3.32.3, >= 3.15.0, < 3.32.3 |
| simple-git_project | simple-git | 3.15.0, 3.15.0, 3.15.0 |
| npm | simple-git | 3.15.0, 3.15.0, 3.15.0 |
Exploit Intelligence
- https://www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292 (cve.org)
- CIRCL seen: CVE-2026-28292 (circl-sighting)
- CIRCL seen: CVE-2026-28292 (circl-sighting)
- CIRCL seen: CVE-2026-28292 (circl-sighting)
- CIRCL seen: CVE-2026-28292 (circl-sighting)
- https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257 (circl)
- https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292 (nist-nvd)
Timeline
- Mar 10, 2026 CVE Published
- Mar 10, 2026 PoC Published
- Mar 11, 2026 EPSS Score
- Mar 12, 2026 EPSS Score
- Mar 12, 2026 PoC Published
- Mar 12, 2026 PoC Published
- Mar 13, 2026 EPSS Score
- Mar 14, 2026 EPSS Score
- Mar 15, 2026 EPSS Score
- Mar 16, 2026 EPSS Score
- Mar 17, 2026 EPSS Score
- Mar 17, 2026 Coalition ESS Score