{"id":"CVE-2026-6951","details":"Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.","aliases":["GHSA-hffm-xvc3-vprc"],"modified":"2026-07-01T04:02:35.545475970Z","published":"2026-04-25T05:00:05.257Z","related":["CGA-7564-rv9h-467m"],"database_specific":{"cna_assigner":"snyk","unresolved_ranges":[{"extracted_events":[{"fixed":"*"}],"source":"AFFECTED_FIELD"}],"cwe_ids":["CWE-94"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6951.json"},"references":[{"type":"WEB","url":"https://gist.github.com/KKC73/02d1d97f3410756095b501fda0ac8ca6"},{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6951.json"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-16300211"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-6951"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6951.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6951"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461750"},{"type":"FIX","url":"https://github.com/steveukx/git-js/commit/89a2294febed5dfe737c4c735d936bb6018746a8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/steveukx/git-js","events":[{"introduced":"e1d66b6469d123d5629383ddc5d089294cc93ea2"},{"fixed":"01bb7ceae698831e9abd9310f7d61484970ab53c"},{"fixed":"89a2294febed5dfe737c4c735d936bb6018746a8"}],"database_specific":{"extracted_events":[{"introduced":"3.15.0"},{"fixed":"3.36.0"}],"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:simple-git_project:simple-git:*:*:*:*:*:node.js:*:*"}}],"versions":["simple-git@3.35.2","@simple-git/argv-parser@1.0.3","@simple-git/args-pathspec@1.0.2","simple-git@3.35.1","@simple-git/argv-parser@1.0.2","@simple-git/argv-parser@1.0.1","@simple-git/args-pathspec@1.0.1","simple-git@3.33.0","simple-git@3.32.3","simple-git@3.32.2","simple-git@3.32.1","simple-git@3.32.0","simple-git@3.31.1","simple-git@3.30.0","simple-git@3.28.0","simple-git@3.27.0","simple-git@3.26.0","simple-git@3.25.0","simple-git@3.24.0","simple-git@3.23.0","simple-git@3.22.0","simple-git@3.21.0","simple-git@3.20.0","simple-git@3.19.1","simple-git@3.19.0","simple-git@3.18.0","simple-git@3.17.0","simple-git@3.16.1","simple-git@3.16.0","simple-git@3.15.1","simple-git@3.15.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-6951.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"}]}