What is CVE-2026-28291?

CVE-2026-28291 is a high-severity vulnerability in Simple-git_project Simple-git, classified under OS Command Injection. CVSS score: 8.1/10. Published 2026-04-13.

How severe is CVE-2026-28291?

High severity. CVSS v3 base score is 8.1 out of 10.

RCE in Simple-git_project Simple-git

CVE-2026-28291

simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.002 (36.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Simple-git_project Simple-git
Steveukx Git-js — versions < 3.32.0

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

security-advisories@github.com (x_refsource_CONFIRM, Exploit, Vendor Advisory)
security-advisories@github.com (Patch, x_refsource_MISC)
security-advisories@github.com (Product, x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC, Release Notes)
security-advisories@github.com (VDB Entry, Third Party Advisory, x_refsource_MISC)

Frequently asked questions

What is CVE-2026-28291?: CVE-2026-28291 is a high-severity vulnerability in Simple-git_project Simple-git, classified under OS Command Injection. CVSS score: 8.1/10. Published 2026-04-13.
How severe is CVE-2026-28291?: High severity. CVSS v3 base score is 8.1 out of 10.