Skip to main content

Pallets Click CVE-2026-7246

| EUVDEUVD-2026-26375 HIGH
Command Injection (CWE-77)
2026-04-30 certcc
7.2
CVSS 3.1 · Vendor: certcc
Share

Severity by source

Vendor (certcc) PRIMARY
7.2 HIGH
AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.2 HIGH
qualitative

Primary rating from Vendor (certcc).

CVSS VectorVendor: certcc

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Patch released
Apr 30, 2026 - 16:39 nvd
Patch available
Source Code Evidence Fetched
Apr 30, 2026 - 15:45 vuln.today
Analysis Generated
Apr 30, 2026 - 15:45 vuln.today
Patch available
Apr 30, 2026 - 15:01 EUVD
CVSS changed
Apr 30, 2026 - 14:22 NVD
7.2 (HIGH)
EUVD ID Assigned
Apr 30, 2026 - 13:30 euvd
EUVD-2026-26375
Analysis Generated
Apr 30, 2026 - 13:30 vuln.today
CVE Published
Apr 30, 2026 - 13:16 nvd
HIGH 7.2

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 387 pypi packages depend on click (198 direct, 195 indirect)

Ecosystem-wide dependent count for version 8.3.3.

DescriptionCVE.org

Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account.

AnalysisAI

Command injection in Pallets Click's click.edit() function (versions ≤8.3.2) allows local attackers with high privileges to execute arbitrary OS commands via shell metacharacters. The vulnerability stems from unsafe use of shell=True in subprocess calls, fixed in version 8.3.3 by switching to shlex.split for command parsing. Attack complexity is high (AC:H) and requires user interaction (UI:R), limiting real-world exploitation despite CVSS 7.2 score. Public proof-of-concept exists (SSVC: exploitation=poc) but no evidence of active exploitation (not in CISA KEV). EPSS data not provided but expected low given local-only access vector and multiple exploitation constraints.

Technical ContextAI

Pallets Click is a Python command-line interface creation toolkit widely used in Python CLI applications. The vulnerability exists in click.edit() and related functions that invoke external editors or pagers. Prior to 8.3.3, Click constructed command strings and passed them to subprocess.Popen with shell=True, enabling shell interpretation of metacharacters. This falls under CWE-77 (Command Injection), where untrusted input can break out of intended command boundaries. The fix (commit #2775, PR #1477) replaces this pattern with shlex.split() to safely tokenize commands into argv lists without shell interpretation, following secure subprocess invocation best practices. The same fix applies to pager command handling, indicating multiple affected code paths within Click's terminal interaction layer.

RemediationAI

Upgrade Pallets Click to version 8.3.3 or later immediately. Update via pip: 'pip install --upgrade click>=8.3.3' or specify in requirements.txt/pyproject.toml. Version 8.3.3 replaces shell=True subprocess calls with shlex.split() tokenization, eliminating shell injection vectors without breaking API compatibility (per release notes: 'fixes bugs but does not otherwise change behavior'). For environments unable to upgrade immediately, implement input validation on any user-controlled strings passed to click.edit() or click.pager() functions-specifically sanitize shell metacharacters (;|&$`<>(){}[]!\n) though this is fragile defense-in-depth. More robust workaround: avoid click.edit() entirely in privileged contexts and replace with direct file I/O operations, though this eliminates interactive editing functionality. Review application code using 'grep -r "click\.edit\|click\.pager" .' to identify exposure points. Reference vendor advisory at https://github.com/pallets/click/releases/tag/8.3.3 and complete changelog at https://click.palletsprojects.com/page/changes/#version-8-3-3.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed

Share

CVE-2026-7246 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy