PT-2026-43251 · Unknown+2 · Gix-Submodule+2
Published
2026-05-26
·
Updated
2026-05-26
·
CVE-2026-40034
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
gix-submodule versions prior to 0.29.0
gitoxide versions prior to 0.5.21
gix versions prior to 0.84.0
Description
Incorrect validation of the
update field in .gitmodules allows attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule is initialized with only partial configuration in .git/config. This enables remote code execution by injecting arbitrary shell commands via the update field, which are executed when the Submodule::update() function is called on a previously initialized submodule.Recommendations
Update gix-submodule to version 0.29.0 or later.
Update gitoxide to version 0.5.21 or later.
Update gix to version 0.84.0 or later.
Exploit
Fix
RCE
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gitoxide
Gix
Gix-Submodule