CVE-2026-6951

ADVISORY - github

Summary

Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for CVE-2022-25912 that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.

EPSS Score⁠: 0.00111 (0.290)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-94⁠

Improper Control of Generation of Code ('Code Injection')

ADVISORY - github

CWE-94⁠

Improper Control of Generation of Code ('Code Injection')

Impacted images

Advisories

NIST

CREATED

12 days ago

UPDATED

8 days ago

ADVISORY IDCVE-2026-6951⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

8.2high

GitHub

CREATED

12 days ago

UPDATED

1 day ago

ADVISORY IDGHSA-hffm-xvc3-vprc⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

8.2high

minimos

CREATED

10 hours ago

UPDATED

10 hours ago

ADVISORY ID

MINI-w8wf-48cc-3wff

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY