CVE-2026-28291 - simple-git - Command Injection

Overview

simple-git <= 3.31.1 contains a command injection caused by incomplete blocklist of Git options in unsafe operations plugin, letting attackers execute arbitrary commands by manipulating Git options, exploit requires crafted Git command options.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary commands, potentially leading to full system compromise.

Mitigation

Update to version 3.32.0 or later.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Apr 13, 2026

🟠 CVE-2026-28291 - High (8.1) simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --uploa... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28291/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Apr 13, 2026

🟠 CVE-2026-28291 - High (8.1) simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --uploa... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28291/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

CVE-2026-28291 - Vulnerability Analysis

Overview

Severity & Score

Impact

Mitigation

References

Social Media Activity(2 posts)

Related Resources

Details

CWE

CVSS Metrics

EPSS Score