CVE-2026-28291

Name of the Vulnerable Software and Affected Versions simple-git versions prior to 3.32.0

Description The library allows the execution of arbitrary commands through the manipulation of Git options. This occurs because the unsafe operations plugin uses a regular-expression-based blocklist to prevent dangerous options, such as -u and --upload-pack, which can be bypassed using various character combinations (e.g., -vu, -4u, -nu) that Git's flexible option parsing still accepts.

Recommendations Update to version 3.32.0.