Fabre

#1135379 python-click: CVE-2026-7246 #1135379

Package:: src:python-click

Source:: src:python-click

Submitter:: Salvatore Bonaccorso

Date:: 2026-06-22 19:29:02 UTC

Severity:: normal

Tags:

#1135379#5

Date:: 2026-05-01 20:55:58 UTC

From:

To:

Hi,

The following vulnerability was published for python-click.

CVE-2026-7246[0]:
| Pallets Click, versions 8.3.2 and below, contain a command injection
| vulnerability in the click.edit() function, allowing attackers to
| pass arbitrary OS commands from an unprivileged account.

Note that the 'intoduced by' commit in the advisory does not seem
correct, it is the one adding support for multiple files but the issue
would be prepsent before 8.2.0 as well.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-7246
https://www.cve.org/CVERecord?id=CVE-2026-7246
[1] https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw
[2] https://github.com/pallets/click/commit/b96c2601af4e01341b4d2c0db494ebee4aef8f42

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1135379 python-click: CVE-2026-7246 #1135379

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)