CVE-2026-40034

Severity CVSS v4.0:
HIGH
Type:
CWE-77 Command Injection
Publication date:
26/05/2026
Last modified:
28/05/2026

Description

gix-submodule before 0.29.0 (gitoxide before 0.5.21, gix before 0.84.0) incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands via the update field in .gitmodules that will be executed when Submodule::update() is called on a previously-initialized submodule, enabling remote code execution.