[research writeup](https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292)

simple-git, 5M+ weekly npm downloads. the bypass is through case-sensitivity handling, subtle enough that traditional SAST wouldn't catch it.

found by the same team (codeant ai) that found CVE-2026-29000, the CVSS 10.0 pac4j-jwt auth bypass that sat undiscovered for 6 years.

interesting pattern: both vulns were found by AI code reviewer, not pattern-matching scanners.