{"id":"CVE-2026-28292","summary":"simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE","details":"`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.","aliases":["GHSA-r275-fr43-pm7q"],"modified":"2026-03-24T03:05:08.370424Z","published":"2026-03-10T18:34:21.717Z","related":["openSUSE-SU-2026:10327-1"],"database_specific":{"cwe_ids":["CWE-178","CWE-78"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28292.json"},"references":[{"type":"WEB","url":"https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28292.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28292"},{"type":"FIX","url":"https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/steveukx/git-js","events":[{"introduced":"e1d66b6469d123d5629383ddc5d089294cc93ea2"},{"fixed":"6e61c6493142957dd06703ccc1df496b0c0af34e"}]}],"versions":["simple-git@3.15.0","simple-git@3.15.1","simple-git@3.16.0","simple-git@3.16.1","simple-git@3.17.0","simple-git@3.18.0","simple-git@3.19.0","simple-git@3.19.1","simple-git@3.20.0","simple-git@3.21.0","simple-git@3.22.0","simple-git@3.23.0","simple-git@3.24.0","simple-git@3.25.0","simple-git@3.26.0","simple-git@3.27.0","simple-git@3.28.0","simple-git@3.30.0","simple-git@3.31.1","simple-git@3.32.0","simple-git@3.32.1","simple-git@3.32.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-28292.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}