#VU125922 OS Command Injection in Simple Git - CVE-2026-28291
Published: April 14, 2026
Vulnerability identifier: #VU125922
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-28291
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Simple Git
Simple Git
Software vendor:
Steve King
Steve King
Description
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to improper neutralization of special elements used in an os command in the option-parsing logic of simple-git when processing user-controlled git command options. A remote attacker can supply specially crafted option variants to execute arbitrary commands.
The issue can be triggered even when allowUnsafePack is explicitly set to false, and the provided proof of concept succeeded on Linux-based environments but was not reproduced on Windows 11.
Remediation
Install security update from vendor's website.