You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
cve 2026-7246
About this tag
CVE-2026-7246 is a high-severity command-injection vulnerability disclosed on April 30, 2026, in Pallets Click's click.edit() helper. The flaw affects Python package versions before 8.3.3, allowing attacker-controlled filenames to escape quoting and execute operating-system commands on the user's local machine. This vulnerability highlights the risk of trusting utility functions that compose shell commands as strings, even in seemingly safe operations like opening a file in an editor. The tag covers discussions about the vulnerability, its impact, and the importance of patching to Click 8.3.3 or later to prevent shell escapes.
CVE-2026-7246 is a high-severity command-injection flaw disclosed April 30, 2026, in Pallets Click’s click.edit() helper, affecting Python package versions before 8.3.3 and allowing attacker-controlled filenames to escape quoting and run operating-system commands on the user’s local machine. The...