A vulnerability classified as critical was found in gitoxide gix-submodule up to 0.81.x . Affected by this issue is the function Submodule::update . The manipulation of the argument update results in command injection. This vulnerability is reported as CVE-2026-40034 . The attack requires a local approach. No exploit exists. Upgrading the affected component is advised.