Skip to main content

Click

2 CVEs product

Monthly

CVE-2026-7246 PyPI HIGH PATCH This Week

Command injection in Pallets Click's click.edit() function (versions ≤8.3.2) allows local attackers with high privileges to execute arbitrary OS commands via shell metacharacters. The vulnerability stems from unsafe use of shell=True in subprocess calls, fixed in version 8.3.3 by switching to shlex.split for command parsing. Attack complexity is high (AC:H) and requires user interaction (UI:R), limiting real-world exploitation despite CVSS 7.2 score. Public proof-of-concept exists (SSVC: exploitation=poc) but no evidence of active exploitation (not in CISA KEV). EPSS data not provided but expected low given local-only access vector and multiple exploitation constraints.

Command Injection Click
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2015-8768 CRITICAL PATCH Act Now

click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Ubuntu Privilege Escalation Click Ubuntu Linux
NVD
CVSS 3.0
9.8
EPSS
1.6%
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Command injection in Pallets Click's click.edit() function (versions ≤8.3.2) allows local attackers with high privileges to execute arbitrary OS commands via shell metacharacters. The vulnerability stems from unsafe use of shell=True in subprocess calls, fixed in version 8.3.3 by switching to shlex.split for command parsing. Attack complexity is high (AC:H) and requires user interaction (UI:R), limiting real-world exploitation despite CVSS 7.2 score. Public proof-of-concept exists (SSVC: exploitation=poc) but no evidence of active exploitation (not in CISA KEV). EPSS data not provided but expected low given local-only access vector and multiple exploitation constraints.

Command Injection Click
NVD GitHub VulDB
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Ubuntu Privilege Escalation Click +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy