LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-6951

CVE-2026-6951 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 25, 2026

simple-git - Remote Code Execution

Published: April 25, 2026Updated: April 25, 2026Remote Exploitable

Overview

simple-git < 3.36.0 contains a remote code execution caused by incomplete fix allowing --config option to enable protocol.ext.allow=always, letting attackers execute arbitrary code remotely, exploit requires untrusted input reaching options argument.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary code remotely by exploiting the incomplete fix in options parsing.

Mitigation

Upgrade to version 3.36.0 or later.

References

Social Media Activity(2 posts)

OffSequence
OffSequence
@offseq
Apr 25, 2026

🚩 CRITICAL: CVE-2026-6951 in simple-git <3.36.0 enables remote code execution via untrusted input to the options argument. Upgrade or block untrusted input! Impact: full system compromise. More: https://radar.offseq.com/threat/cve-2026-6951-remote-code-execution-rce-in-simple--178a7d4e #OffSeq #RCE #simplegit #Security

View original post
OffSequence
OffSequence
@offseq
Apr 25, 2026

🚩 CRITICAL: CVE-2026-6951 in simple-git <3.36.0 enables remote code execution via untrusted input to the options argument. Upgrade or block untrusted input! Impact: full system compromise. More: https://radar.offseq.com/threat/cve-2026-6951-remote-code-execution-rce-in-simple--178a7d4e #OffSeq #RCE #simplegit #Security

View original post

Related Resources

Details

CVE ID
CVE-2026-6951
Severity
Critical
CVSS Score
9.8
Type
command_injection
Status
new
EPSS
0.0%
Social Posts
2

CWE

  • CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.0%Probability of exploitation in the next 30 days