CVE-2026-6951

Name of the Vulnerable Software and Affected Versions simple-git versions prior to 3.36.0

Description A Remote Code Execution (RCE) issue exists in the simple-git Node.js library due to improper code generation management and an incomplete fix for a previous flaw. The issue occurs because the --config option was not adequately blocked, while the -c option was. If untrusted input reaches the options argument, a remote attacker can inject arbitrary git configuration settings, such as enabling protocol.ext.allow=always and using an ext:: clone source, to execute arbitrary code on the host machine. This exploitation requires no authentication or user interaction.

Recommendations Update to version 3.36.0 or later.