Gix

A path traversal vulnerability exists in gix and gitoxide where unvalidated submodule names from `.gitmodules` can be used to escape the `.git/modules` directory, potentially leading to repository confusion by redirecting submodule state inspection and open operations to attacker-controlled paths.

A vulnerability in gitoxide's `gix_submodule::File::update()` allows arbitrary command execution via a crafted `.gitmodules` file by incorrectly validating the source of the `update` command, enabling an attacker to inject malicious commands after a submodule has been initialized.