CVE-2026-7246

Summary

Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account.

Affected Software

VendorProductVersion RangeStatus
Pallets ClickClick0 < 8.3.3affected

Weaknesses

  • CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

github.com/pallets/click: Pallets Click: Arbitrary command execution via command injection in click.edit()

Additional References

References