{
  "threat_severity" : "Important",
  "public_date" : "2026-04-30T13:16:44Z",
  "bugzilla" : {
    "description" : "github.com/pallets/click: Pallets Click: Arbitrary command execution via command injection in click.edit()",
    "id" : "2464121",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464121"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-78",
  "details" : [ "Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account.", "A flaw was found in Pallets Click. This command injection vulnerability, located in the click.edit() function, allows an attacker with an unprivileged account to execute arbitrary operating system (OS) commands. This could lead to unauthorized control over the affected system." ],
  "statement" : "A command injection vulnerability exists in the click.edit() function of the Pallets Click library. The filename parameter is not sanitized before being interpolated into a shell command string, allowing an attacker who controls the filename to inject and execute arbitrary OS commands.\nThe root cause is in edit_files(), which wraps the filename in double quotes and passes the resulting string to subprocess.Popen() with shell=True. A filename containing a double-quote character (\") can break out of the quoting context and introduce arbitrary shell metacharacters.",
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
    "release_date" : "2026-06-09T00:00:00Z",
    "advisory" : "RHSA-2026:24761",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
    "package" : "python3.12-click-0:8.3.3-1.el8ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
    "release_date" : "2026-06-09T00:00:00Z",
    "advisory" : "RHSA-2026:24761",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
    "package" : "python3.12-click-0:8.3.3-1.el9ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.6 for RHEL 10",
    "release_date" : "2026-06-09T00:00:00Z",
    "advisory" : "RHSA-2026:24762",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el10",
    "package" : "python-click-0:8.3.3-1.el10ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.6 for RHEL 9",
    "release_date" : "2026-06-09T00:00:00Z",
    "advisory" : "RHSA-2026:24762",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9",
    "package" : "python3.12-click-0:8.3.3-1.el9ap"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "python3.11-click",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "python3x-click",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-7246\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-7246\nhttps://github.com/pallets/click/releases/tag/8.3.3\nhttps://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw" ],
  "name" : "CVE-2026-7246",
  "csaw" : false
}