CVE-2026-6951 in simple-git: why the popular PoC doesn’t pwn anything (and the env-var path that does)
Verdict: conditionally-exploitable. Vulnerable on simple-git ≤ 3.35.x with @simple-git/argv-parser ≤ 1.0.3 only when the attacker can influence the env passed to git (the .env(...) reach), the --template option, or specific constructor config keys. The popularly-circulated --config protocol.ext.allow=always PoC does NOT work — argv-parser blocks it. Defenders using that PoC to test their stack will reach […]