OS Command Injection in Simple Git - CVE-2026-28291
Published: April 14, 2026
Vulnerability identifier: #VU125922
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-28291
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Steve King
Affected software:
Simple Git
Simple Git
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to improper neutralization of special elements used in an os command in the option-parsing logic of simple-git when processing user-controlled git command options. A remote attacker can supply specially crafted option variants to execute arbitrary commands.
The issue can be triggered even when allowUnsafePack is explicitly set to false, and the provided proof of concept succeeded on Linux-based environments but was not reproduced on Windows 11.
How to mitigate CVE-2026-28291
Install security update from vendor's website.