CVE-2026-28292: RCE in simple-git via case-sensitivity bypass (CVSS 9.8)
CVE-2026-28292simple-gitRCEcase-sensitivitySASTCodeAntAICVE-2026-29000pac4j-jwtAIcodereviewer
The vulnerability affects simple-git, a package with over 5 million weekly npm downloads. It involves a remote code execution (RCE) flaw caused by improper case-sensitivity handling, which evades detection by traditional static application security testing (SAST) tools. The issue was discovered by the same team (CodeAnt AI) that identified CVE-2026-29000, a CVSS 10.0 authentication bypass in pac4j-jwt that remained undetected for six years. Both vulnerabilities were found using an AI code reviewer rather than conventional pattern-matching scanners.