CVE-2026-6951: Remote Code Execution (RCE) in simple-git
simple-git versions before 3. 36. 0 contain a remote code execution vulnerability due to an incomplete fix for a previous issue (CVE-2022-25912). The vulnerability arises because the mitigation blocked the '-c' option but not the equivalent '--config' form, allowing attackers to enable protocol. ext. allow=always and use an ext:: clone source to execute code remotely if untrusted input reaches the options argument.
AI Analysis
Technical Summary
CVE-2026-6951 is a critical remote code execution vulnerability in the simple-git package prior to version 3.36.0. It stems from an incomplete fix for CVE-2022-25912, where the '-c' option was blocked but the '--config' option was not, enabling attackers to manipulate git configuration to allow execution of arbitrary code via the ext:: clone source. This vulnerability requires that untrusted input can reach the options argument passed to simple-git, making it exploitable remotely without user interaction and without privileges.
Potential Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary code remotely on systems using vulnerable versions of simple-git if untrusted input is passed to the options argument. This can lead to full system compromise or unauthorized actions within the context of the affected application.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerability affects versions before 3.36.0, upgrading to version 3.36.0 or later is likely the intended fix once available. Until then, avoid passing untrusted input to the options argument of simple-git or implement strict input validation to prevent exploitation.
CVE-2026-6951: Remote Code Execution (RCE) in simple-git
Description
simple-git versions before 3. 36. 0 contain a remote code execution vulnerability due to an incomplete fix for a previous issue (CVE-2022-25912). The vulnerability arises because the mitigation blocked the '-c' option but not the equivalent '--config' form, allowing attackers to enable protocol. ext. allow=always and use an ext:: clone source to execute code remotely if untrusted input reaches the options argument.
CVSS v4.0
Score 9.2critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-6951 is a critical remote code execution vulnerability in the simple-git package prior to version 3.36.0. It stems from an incomplete fix for CVE-2022-25912, where the '-c' option was blocked but the '--config' option was not, enabling attackers to manipulate git configuration to allow execution of arbitrary code via the ext:: clone source. This vulnerability requires that untrusted input can reach the options argument passed to simple-git, making it exploitable remotely without user interaction and without privileges.
Potential Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary code remotely on systems using vulnerable versions of simple-git if untrusted input is passed to the options argument. This can lead to full system compromise or unauthorized actions within the context of the affected application.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerability affects versions before 3.36.0, upgrading to version 3.36.0 or later is likely the intended fix once available. Until then, avoid passing untrusted input to the options argument of simple-git or implement strict input validation to prevent exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- snyk
- Date Reserved
- 2026-04-24T07:25:39.128Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Epss Score
- 0.00085
- Epss Percentile
- 0.2445
- Epss Date
- 2026-04-26
- Gcve Source
- db.gcve.eu
Threat ID: 69ec52c387115cfb68273f89
Added to database: 4/25/2026, 5:36:03 AM
Last enriched: 5/2/2026, 7:34:36 AM
Last updated: 6/9/2026, 1:46:32 PM
Views: 607
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.