when Git clones a repository using the --recurse-submodules argument, the command will interpret the URL as an option, which could then be used to perform remote code execution on the computer.

The developers behind Git and various ... to execute code on users' systems. Git 2.17.1, released last night, should prevent the execution of these commands on users' computers.

Two updates pushed to the PHP Git server over the weekend added a line that, if run by a PHP-powered website, would have allowed visitors with no authorization to execute code of their choice.