Description

Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.

INFO

Published Date :

2026-04-25T05:00:05.257Z

Last Modified :

2026-04-25T10:50:22.342Z

Source :

snyk
AFFECTED PRODUCTS

The following products are affected by CVE-2026-6951 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-6951.

URL Resource
https://gist.github.com/KKC73/02d1d97f3410756095b501fda0ac8ca6 cve-icon cve-icon
https://github.com/steveukx/git-js/commit/89a2294febed5dfe737c4c735d936bb6018746a8 cve-icon cve-icon
https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact