VIR Vulnerability Intelligence Relay

CVE-2026-6951

critical
Published 2026-04-25 · Modified 2026-05-05
CVSS v3
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
VIR risk
9.8

Description

simple-git is vulnerable to Remote Code Execution

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: report@snyk.io — https://github.com/steveukx/git-js/commit/89a2294febed5dfe737c4c735d936bb6018746a8

Package impact
EcosystemPackageVulnerableFixed
npm npmsimple-git<3.36.03.36.0
npm NPMsimple-git< 3.36.03.36.0

Application impact
VendorProductVersionsFixed
simple-git_projectsimple-git{"startIncluding":"3.15.0","endExcluding":"3.36.0"}3.36.0

References

CWEs

CWE-94

Verify integrity in audit chain (admin only). AS-IS.