Is simple-git affected by CVE-2026-28291?

npm simple-git is affected in <3.32.0.

Is CVE-2026-28291 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.6%.

high

CVE-2026-28291

Q: Is CVE-2026-28291 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.6%.

npm · simple-git

Summary

simple-git Affected by Command Execution via Option-Parsing Bypass

Severity: high
EPSS: 0.6% (p46)
Also known as: GHSA-jcxm-m3jx-f287
Published: 2026-04-13

References

https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287
https://nvd.nist.gov/vuln/detail/CVE-2026-28291
https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d

Related advisories

CVE-2026-6951 — high · npm/simple-git

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.