{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-7246","assignerOrgId":"37e5125f-f79b-445b-8fad-9564f167944b","state":"PUBLISHED","assignerShortName":"certcc","dateReserved":"2026-04-27T17:37:48.878Z","datePublished":"2026-04-30T13:16:44.050Z","dateUpdated":"2026-06-30T03:20:49.760Z"},"containers":{"cna":{"title":"Pallets Click contains a command injection via Unsanitized Filename \"click.edit()\"","descriptions":[{"lang":"en","value":"Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account."}],"source":{"discovery":"UNKNOWN"},"affected":[{"vendor":"Pallets Click","product":"Click","versions":[{"status":"affected","version":"0","lessThan":"8.3.3","versionType":"custom"}]}],"problemTypes":[{"descriptions":[{"lang":"en","description":"CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}],"references":[{"url":"https://github.com/pallets/click/releases/tag/8.3.3"},{"url":"https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw"}],"x_generator":{"engine":"VINCE 3.0.39","env":"prod","origin":"https://cveawg.mitre.org/api/cve/CVE-2026-7246"},"providerMetadata":{"orgId":"37e5125f-f79b-445b-8fad-9564f167944b","shortName":"certcc","dateUpdated":"2026-05-07T16:41:32.372Z"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-77","lang":"en","description":"CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}],"references":[{"url":"https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw","tags":["exploit"]}],"metrics":[{"cvssV3_1":{"scope":"CHANGED","version":"3.1","baseScore":7.2,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"REQUIRED","attackComplexity":"HIGH","availabilityImpact":"HIGH","privilegesRequired":"HIGH","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-04-30T13:39:25.058670Z","id":"CVE-2026-7246","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-30T13:40:48.226Z"}},{"affected":[{"cpes":["cpe:/a:redhat:ansible_automation_platform:2.6::el10","cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2.6 for RHEL 10","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2.5::el8","cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8","cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2.5 for RHEL 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2.5::el9","cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9","cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2.5 for RHEL 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2.6::el9","cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9","cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2.6 for RHEL 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"unaffected","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"}],"datePublic":"2026-04-30T13:16:44.050Z","descriptions":[{"lang":"en","value":"A flaw was found in Pallets Click. This command injection vulnerability, located in the click.edit() function, allows an attacker with an unprivileged account to execute arbitrary operating system (OS) commands. This could lead to unauthorized control over the affected system."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-78","description":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-7246"},{"name":"RHBZ#2464121","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2464121"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-7246.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:24762"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:24761"}],"solutions":[{"lang":"en","value":"RHSA-2026:24762: Red Hat Ansible Automation Platform 2.6 for RHEL 10, Red Hat Ansible Automation Platform 2.6 for RHEL 9"},{"lang":"en","value":"RHSA-2026:24761: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9"}],"timeline":[{"lang":"en","time":"2026-04-30T14:00:58.850Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-30T13:16:44.050Z","value":"Made public."}],"title":"github.com/pallets/click: Pallets Click: Arbitrary command execution via command injection in click.edit()","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T03:20:49.760Z"}}]}}