HIGH
Simple Git Project
CVE published 2026-04-25
CVE-2026-6951
CVE-2026-6951 affects the Node.js package simple-git before 3.36.0. According to the CVE record, the earlier fix for CVE-2022-25912 was incomplete: blocking the -c option did not fully block the equivalent --config form. If untrusted input can influence the options argument passed to simple-git, an attacker may be able to reach remote code execution by enabling protocol.ext.allow=always and using an ext:: [truncated]