Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-04-30T13:16:44 github.com/pallets/click: Pallets Click: Arbitrary command execution via command injection in click.edit() 7.2 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H CWE-78

Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account.

A flaw was found in Pallets Click. This command injection vulnerability, located in the click.edit() function, allows an attacker with an unprivileged account to execute arbitrary operating system (OS) commands. This could lead to unauthorized control over the affected system.

A command injection vulnerability exists in the click.edit() function of the Pallets Click library. The filename parameter is not sanitized before being interpolated into a shell command string, allowing an attacker who controls the filename to inject and execute arbitrary OS commands. The root cause is in edit_files(), which wraps the filename in double quotes and passes the resulting string to subprocess.Popen() with shell=True. A filename containing a double-quote character (") can break out of the quoting context and introduce arbitrary shell metacharacters. Red Hat Ansible Automation Platform 2 Not affected python3.11-click Red Hat Ansible Automation Platform 2 Affected python3.12-click Red Hat Ansible Automation Platform 2 Not affected python3x-click Red Hat Ansible Automation Platform 2 Not affected python-click https://www.cve.org/CVERecord?id=CVE-2026-7246 https://nvd.nist.gov/vuln/detail/CVE-2026-7246 https://github.com/pallets/click/releases/tag/8.3.3 https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw