A critical case-sensitivity bypass vulnerability (CVE-2026-28292, CVSS 9.8) in the popular `simple-git` npm package allows remote code execution by circumventing fixes for two prior CVEs. According to authoritative NVD data, affected versions are `simple-git` >= 3.15.0, and the fix is implemented in version 3.32.3, to which users must upgrade immediately.
CodeAnt AI Security Research Mar 9, 2026 CEO, CodeAnt AI A case-sensitivity bug insimple-git(12.4 million+ weekly npm downloads) allows an attacker to bypass two prior CVE fixes (CVE-2022-25860andCVE-2022-25912) and achieve full remote code execution on the host machine. The root cause is a single missing/iflag on a regex. The fix is literally one character.73% of all simple-git downloads, approximately 9 million installs per week, are running vulnerable versions.Upgrade to v3.32.3 or later immediately. Field Value CVE ID CVE-2026-28292 Package simple-git Weekly Downloads 12,410,544 Affected Versions >= 3.15.0 (all versions carrying the CVE-2022-25912 fix) Fixed Version 3.32.3 CVSS v3.1 Score 9.8 CRITICAL CVSS Vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H