PT-2026-36098 · Pallets · Click

Kpatsakis

Published

2026-04-30

Updated

2026-05-15

CVE-2026-7246

CVSS v3.1

7.2

High

Vector

AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Pallets Click versions 8.3.2 and earlier

Description A command injection issue exists in the click.edit() function, which allows an unprivileged account to execute arbitrary operating system commands.

Recommendations Update to a version later than 8.3.2. As a temporary workaround, consider restricting the use of the click.edit() function.

Exploit

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2026-7246

ECHO-A20E-BD39-2395

OESA-2026-2302

OESA-2026-2303

OESA-2026-2304

OESA-2026-2305

OPENSUSE-SU-2026:10760-1

Affected Products

Click

PT-2026-36098 · Pallets · Click

CVE-2026-7246

Weakness Enumeration

Related Identifiers

Affected Products

References · 23