CVE-2026-6951

ADVISORY - github

Summary

Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for CVE-2022-25912 that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.

EPSS Score⁠: 0.01098 (0.613)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-94⁠

Improper Control of Generation of Code ('Code Injection')

ADVISORY - github

CWE-94⁠

Improper Control of Generation of Code ('Code Injection')

Impacted images

Advisories

NIST

CREATED

2 months ago

UPDATED

1 month ago

ADVISORY IDCVE-2026-6951⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-94⁠

CVSS SCORE

8.2high

GitHub

CREATED

2 months ago

UPDATED

2 months ago

ADVISORY IDGHSA-hffm-xvc3-vprc⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-94⁠

CVSS SCORE

8.2high

Chainguard

CREATED

29 days ago

UPDATED

29 days ago

ADVISORY ID

CGA-7564-rv9h-467m

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

2 months ago

UPDATED

2 months ago

ADVISORY ID

MINI-w8wf-48cc-3wff

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY