{"url":"http://public2.vulnerablecode.io/api/packages/980701?format=json","purl":"pkg:npm/simple-git@3.20.0","type":"npm","namespace":"","name":"simple-git","version":"3.20.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.36.0","latest_non_vulnerable_version":"3.36.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50817?format=json","vulnerability_id":"VCID-epz2-6ye6-bfay","summary":"simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE\nThe `blockUnsafeOperationsPlugin` in `simple-git` fails to block git protocol\noverride arguments when the config key is passed in uppercase or mixed case.\nAn attacker who controls arguments passed to git operations can enable the\n`ext::` protocol by passing `-c PROTOCOL.ALLOW=always`, which executes an\narbitrary OS command on the host machine.\n\n---\n\n\n| # | Vector | Payload | Sentinel file | Result |\n|---|--------|---------|---------------|--------|\n| 1 | CVE-2022-25912 original | `protocol.ext.allow=always` (lowercase) | not created | Blocked ✅ |\n| 2 | Case-sensitivity bypass | `PROTOCOL.ALLOW=always` (uppercase) | `/tmp/pwn-codeant` created | **RCE ⚠️** |\n| 3 | Real-world app scenario | `PROTOCOL.ALLOW=always` + attacker URL | `/tmp/pwn-realworld` created | **RCE ⚠️** |\n\nThe case-sensitive regex in `preventProtocolOverride` blocks `protocol.*.allow` but does not account for uppercase or mixed-case variants. Git accepts all variants identically due to case-insensitive config key normalisation, allowing full bypass of the protection in all versions of simple-git that carry the 2022 fix.\n\n`/tmp/pwned` is created by the git subprocess via the `ext::` protocol.\n\nAll of the following bypass the check:\n\n| Argument passed via `-c` | Regex matches? | Git honours it? |\n|--------------------------|:--------------:|:---------------:|\n| `protocol.allow=always`  | ✅ blocked     | ✅              |\n| `PROTOCOL.ALLOW=always`  | ❌ bypassed    | ✅              |\n| `Protocol.Allow=always`  | ❌ bypassed    | ✅              |\n| `PROTOCOL.allow=always`  | ❌ bypassed    | ✅              |\n| `protocol.ALLOW=always`  | ❌ bypassed    | ✅              |\n\n---","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28292.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28292.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28292","reference_id":"","reference_type":"","scores":[{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34728","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.3476","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34777","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.3474","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34706","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28292"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/steveukx/git-js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/steveukx/git-js"},{"reference_url":"https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T15:30:35Z/"}],"url":"https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257"},{"reference_url":"https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T15:30:35Z/"}],"url":"https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292"},{"reference_url":"https://www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2446162","reference_id":"2446162","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2446162"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28292","reference_id":"CVE-2026-28292","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28292"},{"reference_url":"https://github.com/advisories/GHSA-r275-fr43-pm7q","reference_id":"GHSA-r275-fr43-pm7q","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r275-fr43-pm7q"},{"reference_url":"https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7q","reference_id":"GHSA-r275-fr43-pm7q","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T15:30:35Z/"}],"url":"https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74660?format=json","purl":"pkg:npm/simple-git@3.32.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gtcg-eu7c-p7e6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/simple-git@3.32.3"}],"aliases":["CVE-2026-28292","GHSA-r275-fr43-pm7q"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-epz2-6ye6-bfay"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61851?format=json","vulnerability_id":"VCID-gtcg-eu7c-p7e6","summary":"simple-git: simple-git: Remote Code Execution due to incomplete fix bypass","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-6951.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-6951.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6951","reference_id":"","reference_type":"","scores":[{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36309","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.4392","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43969","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43945","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.4391","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6951"},{"reference_url":"https://gist.github.com/KKC73/02d1d97f3410756095b501fda0ac8ca6","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-25T10:50:10Z/"}],"url":"https://gist.github.com/KKC73/02d1d97f3410756095b501fda0ac8ca6"},{"reference_url":"https://github.com/steveukx/git-js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/steveukx/git-js"},{"reference_url":"https://github.com/steveukx/git-js/commit/89a2294febed5dfe737c4c735d936bb6018746a8","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-25T10:50:10Z/"}],"url":"https://github.com/steveukx/git-js/commit/89a2294febed5dfe737c4c735d936bb6018746a8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6951","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6951"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-25T10:50:10Z/"}],"url":"https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461750","reference_id":"2461750","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461750"},{"reference_url":"https://github.com/advisories/GHSA-hffm-xvc3-vprc","reference_id":"GHSA-hffm-xvc3-vprc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hffm-xvc3-vprc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/111319?format=json","purl":"pkg:npm/simple-git@3.36.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/simple-git@3.36.0"}],"aliases":["CVE-2026-6951","GHSA-hffm-xvc3-vprc"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gtcg-eu7c-p7e6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/62849?format=json","vulnerability_id":"VCID-jghj-d43k-h7h4","summary":"simple-git: simple-git: Command Execution via Option-Parsing Bypass in simple-git","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28291.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28291.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28291","reference_id":"","reference_type":"","scores":[{"value":"0.00156","scoring_system":"epss","scoring_elements":"0.36117","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00156","scoring_system":"epss","scoring_elements":"0.36173","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00156","scoring_system":"epss","scoring_elements":"0.36181","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00156","scoring_system":"epss","scoring_elements":"0.36141","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00156","scoring_system":"epss","scoring_elements":"0.36103","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28291"},{"reference_url":"https://github.com/steveukx/git-js","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/steveukx/git-js"},{"reference_url":"https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-14T13:53:36Z/"}],"url":"https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26"},{"reference_url":"https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-14T13:53:36Z/"}],"url":"https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d"},{"reference_url":"https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-14T13:53:36Z/"}],"url":"https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0"},{"reference_url":"https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-14T13:53:36Z/"}],"url":"https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28291","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28291"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2022-25860","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-14T13:53:36Z/"}],"url":"https://www.cve.org/CVERecord?id=CVE-2022-25860"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2457930","reference_id":"2457930","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2457930"},{"reference_url":"https://github.com/advisories/GHSA-jcxm-m3jx-f287","reference_id":"GHSA-jcxm-m3jx-f287","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jcxm-m3jx-f287"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/111284?format=json","purl":"pkg:npm/simple-git@3.32.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-epz2-6ye6-bfay"},{"vulnerability":"VCID-gtcg-eu7c-p7e6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/simple-git@3.32.0"}],"aliases":["CVE-2026-28291","GHSA-jcxm-m3jx-f287"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jghj-d43k-h7h4"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/simple-git@3.20.0"}