CVE-2026-28292
Published: 10 March 2026
Summary
CVE-2026-28292 is a critical-severity OS Command Injection (CWE-78) vulnerability in Simple-Git Project Simple-Git. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the command injection flaw in simple-git versions 3.15.0 through 3.32.2 by patching to version 3.23.0 or later.
Requires vulnerability scanning of software dependencies like the simple-git npm package to identify and address CVE-2026-28292 before exploitation.
Addresses the OS command injection (CWE-78) aspect by validating and sanitizing malicious inputs such as crafted Git repository URLs passed to simple-git.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated OS command injection vulnerability in Node.js simple-git library enables exploitation of public-facing applications (T1190) for arbitrary command execution via command and scripting interpreter (T1059).
NVD Description
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the…
more
host machine. Version 3.23.0 contains an updated fix for the vulnerability.
Deeper analysisAI
CVE-2026-28292 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting the `simple-git` npm package, an interface for executing Git commands in Node.js applications. Versions 3.15.0 through 3.32.2 contain a flaw classified under CWE-78 (OS Command Injection) and CWE-178 (Improper Encoding or Escaping of Outputs), which enables attackers to bypass mitigations from prior vulnerabilities CVE-2022-25860 and CVE-2022-25912, resulting in full remote code execution on the host machine. The issue was published on 2026-03-10.
A remote attacker requires no privileges or user interaction and can exploit this over the network with low complexity. By crafting malicious input processed by `simple-git`, such as through Git repository URLs or commands, the attacker achieves arbitrary code execution on the host system, potentially leading to complete compromise including high confidentiality, integrity, and availability impacts.
The GitHub security advisory (GHSA-r275-fr43-pm7q) and related commit (f7042088aa2dac59e3c49a84d7a2f4b26048a257) detail the fix, with version 3.23.0 providing an updated patch. Security practitioners should upgrade to version 3.23.0 or later and review the CodeAnt.ai research for additional technical details on the bypass mechanism.
Details
- CWE(s)