{
  "threat_severity" : "Important",
  "public_date" : "2026-03-10T18:34:21Z",
  "bugzilla" : {
    "description" : "simple-git: simple-git: Remote Code Execution via bypass of prior security fixes",
    "id" : "2446162",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2446162"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-76",
  "details" : [ "`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability.", "A vulnerability was discovered in the simple-git Node.js library. The issue is caused by improper validation of user-supplied input when constructing Git commands. An attacker able to supply specially crafted repository URLs or arguments could exploit Git’s ext:: protocol handler to execute arbitrary commands on the underlying system.\nThis flaw bypasses earlier mitigations intended to restrict unsafe Git protocols. By injecting configuration options that re-enable the ext:: protocol, an attacker could cause the application to execute arbitrary external commands through the Git client.\nIf a vulnerable application passes untrusted input to simple-git operations such as repository cloning or fetching, a remote attacker could exploit this flaw to execute arbitrary commands on the host system with the privileges of the application process." ],
  "package_state" : [ {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/elasticsearch6-rhel9",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/elasticsearch-operator-bundle",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/elasticsearch-proxy-rhel9",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/elasticsearch-rhel9-operator",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/kibana6-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/logging-curator5-rhel9",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "org.keycloak-keycloak-parent",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "org.keycloak-keycloak-parent",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "org.kie-process-migration-service",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-28292\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28292\nhttps://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257\nhttps://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292" ],
  "name" : "CVE-2026-28292",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}