CVE-2026-28291Simple-git_project · Simple-git
Vulnerability data via NVD (ingested)
simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-28291product:"Simple-git Project Simple-git"http.html:"Simple-git"More intel sources (5)
vuln:CVE-2026-28291vulnerabilities.cve_id: CVE-2026-28291CVE-2026-28291CVE-2026-28291"CVE-2026-28291" exploit -site:nvd.nist.gov