CVE-2026-28292: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in steveukx simple-git
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
AI Analysis
Technical Summary
CVE-2026-28292 is an OS command injection vulnerability in the simple-git library for Node.js, affecting versions from 3.15.0 up to but not including 3.32.3. This vulnerability enables attackers to bypass two prior fixes (CVE-2022-25860 and CVE-2022-25912) and execute arbitrary commands remotely on the host system. The issue arises from improper neutralization of special elements used in OS commands (CWE-78). The vendor addressed this vulnerability with an updated fix starting in version 3.23.0.
Potential Impact
Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary OS commands remotely on the host running the vulnerable simple-git version. This leads to full compromise of confidentiality, integrity, and availability of the affected system. The CVSS score of 9.8 reflects the critical nature of this vulnerability with network attack vector and no user interaction or privileges required.
Mitigation Recommendations
Upgrade to simple-git version 3.23.0 or later, which contains the updated fix for this vulnerability. Since the vulnerability affects versions >= 3.15.0 and < 3.32.3, any version outside this range is not vulnerable. No other mitigations are specified. Patch status is confirmed by the vendor advisory indicating version 3.23.0 includes the fix.
CVE-2026-28292: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in steveukx simple-git
Description
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-28292 is an OS command injection vulnerability in the simple-git library for Node.js, affecting versions from 3.15.0 up to but not including 3.32.3. This vulnerability enables attackers to bypass two prior fixes (CVE-2022-25860 and CVE-2022-25912) and execute arbitrary commands remotely on the host system. The issue arises from improper neutralization of special elements used in OS commands (CWE-78). The vendor addressed this vulnerability with an updated fix starting in version 3.23.0.
Potential Impact
Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary OS commands remotely on the host running the vulnerable simple-git version. This leads to full compromise of confidentiality, integrity, and availability of the affected system. The CVSS score of 9.8 reflects the critical nature of this vulnerability with network attack vector and no user interaction or privileges required.
Mitigation Recommendations
Upgrade to simple-git version 3.23.0 or later, which contains the updated fix for this vulnerability. Since the vulnerability affects versions >= 3.15.0 and < 3.32.3, any version outside this range is not vulnerable. No other mitigations are specified. Patch status is confirmed by the vendor advisory indicating version 3.23.0 includes the fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-26T01:52:58.736Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69b06a2b2f860ef943991f03
Added to database: 3/10/2026, 6:59:55 PM
Last enriched: 4/14/2026, 11:28:25 AM
Last updated: 4/25/2026, 12:44:29 AM
Views: 92
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.