{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7246", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-04-27T17:37:48.878Z", "datePublished": "2026-04-30T13:16:44.050Z", "dateUpdated": "2026-05-07T16:41:32.372Z"}, "containers": {"cna": {"title": "Pallets Click contains a command injection via Unsanitized Filename \"click.edit()\"", "descriptions": [{"lang": "en", "value": "Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Pallets Click", "product": "Click", "versions": [{"status": "affected", "version": "0", "lessThan": "8.3.3", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "references": [{"url": "https://github.com/pallets/click/releases/tag/8.3.3"}, {"url": "https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw"}], "x_generator": {"engine": "VINCE 3.0.39", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-7246"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-05-07T16:41:32.372Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "references": [{"url": "https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-30T13:39:25.058670Z", "id": "CVE-2026-7246", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-30T13:40:48.226Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-7246", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-30T13:39:25.058670Z"}}}], "references": [{"url": "https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-30T13:38:01.428Z"}}], "cna": {"title": "Pallets Click contains a command injection via Unsanitized Filename \"click.edit()\"", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Pallets Click", "product": "Click", "versions": [{"status": "affected", "version": "0", "lessThan": "8.3.3", "versionType": "custom"}]}], "references": [{"url": "https://github.com/pallets/click/releases/tag/8.3.3"}, {"url": "https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.39", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-7246"}, "descriptions": [{"lang": "en", "value": "Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-05-07T16:41:32.372Z"}}}, "cveMetadata": {"cveId": "CVE-2026-7246", "state": "PUBLISHED", "dateUpdated": "2026-05-07T16:41:32.372Z", "dateReserved": "2026-04-27T17:37:48.878Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-04-30T13:16:44.050Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:palletsprojects:click:*:*:*:*:*:*:*:*", "matchCriteriaId": "A891BBD6-CEE8-4840-8EF4-1047EF26D87C", "versionEndExcluding": "8.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account."}], "id": "CVE-2026-7246", "lastModified": "2026-04-30T16:39:47.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-30T14:16:36.433", "references": [{"source": "cret@cert.org", "tags": ["Product", "Patch"], "url": "https://github.com/pallets/click/releases/tag/8.3.3"}, {"source": "cret@cert.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "github.com/pallets/click: Pallets Click: Arbitrary command execution via command injection in click.edit()", "id": "2464121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464121"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["A flaw was found in Pallets Click. This command injection vulnerability, located in the click.edit() function, allows an attacker with an unprivileged account to execute arbitrary operating system (OS) commands. This could lead to unauthorized control over the affected system."], "name": "CVE-2026-7246", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "python3.11-click", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "python3.12-click", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "python3x-click", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "python-click", "product_name": "Red Hat Ansible Automation Platform 2"}], "public_date": "2026-04-30T13:16:44Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-7246\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-7246\nhttps://github.com/pallets/click/releases/tag/8.3.3\nhttps://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw"], "statement": "A command injection vulnerability exists in the click.edit() function of the Pallets Click library. The filename parameter is not sanitized before being interpolated into a shell command string, allowing an attacker who controls the filename to inject and execute arbitrary OS commands.\nThe root cause is in edit_files(), which wraps the filename in double quotes and passes the resulting string to subprocess.Popen() with shell=True. A filename containing a double-quote character (\") can break out of the quoting context and introduce arbitrary shell metacharacters.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.3.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Click", "source": "cna", "vendor": "Pallets Click"}, "product": "click", "vendor": "pallets_click"}], "created": "2026-05-01T08:21:19.994990+00:00", "updated": "2026-05-04T13:45:25.947856+00:00", "vendors": ["pallets_click", "pallets_click$PRODUCT$click"]}