CVE-2026-7246

HIGH 7.2

Pallets Click contains a command injection via Unsanitized Filename "click.edit()"

CVSS Score

7.2

EPSS Score

0.0%

EPSS Percentile

0th

Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account.

Vendor	pallets click
Product	click
Published	Apr 30, 2026
Last Updated	Apr 30, 2026

Stay Ahead of the Next One

Get instant alerts for pallets click click

Be the first to know when new high vulnerabilities affecting pallets click click are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Pallets Click / Click

0 < 8.3.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/pallets/click/releases/tag/8.3.3 github.com: https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw