Command Injection Vulnerability in Pallets Click Affected by Arbitrary OS Commands
CVE-2026-7246

7.2HIGH

Key Information:

Vendor: Pallets Click
Status: Click
Vendor: CVE Published:; 30 April 2026

🔔 Create Pallets Click Vulnerability Alert

What is CVE-2026-7246?

Pallets Click versions 8.3.2 and earlier are susceptible to a command injection vulnerability in the click.edit() function. This flaw enables attackers with unprivileged accounts to execute arbitrary operating system commands, potentially compromising system integrity and security. It is crucial for users of these versions to update to a secured release to mitigate the risk associated with this vulnerability.

Affected Version(s)

Click 0 < 8.3.3

References

https://github.com/pallets/click/releases/tag/8.3.3

https://github.com/tsigouris007/security-advisories/secur...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Apr 27, 2026

CVE-2026-7246 Data

JSON