CVE-2026-7246 | THREATINT

Description

Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account.

PUBLISHED Reserved 2026-04-27 | Published 2026-04-30 | Updated 2026-04-30 | Assigner certcc

Problem types

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

Product status

Any version before 8.3.3

affected

References

github.com/...sories/security/advisories/GHSA-47fr-3ffg-hgmw exploit

github.com/pallets/click/releases/tag/8.3.3

github.com/...sories/security/advisories/GHSA-47fr-3ffg-hgmw

cve.org (CVE-2026-7246)

nvd.nist.gov (CVE-2026-7246)

Download JSON