PYSEC-2026-2132

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/click/PYSEC-2026-2132.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2132
Aliases
Published
2026-04-30T14:16:36.433Z
Modified
2026-07-13T07:15:21.899333658Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account.

References

Affected packages

PyPI / click

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.3.3

Affected versions

0.*
0.1
0.2
0.3
0.4
0.5
0.5.1
0.6
0.7
1.*
1.0
1.1
2.*
2.0
2.1
2.2
2.3
2.4
2.5
2.6
3.*
3.0
3.1
3.2
3.3
4.*
4.0
4.1
5.*
5.0
5.1
6.*
6.0
6.1
6.2
6.3
6.4
6.5
6.6
6.7.dev0
6.7
7.*
7.0
7.1
7.1.1
7.1.2
8.*
8.0.0a1
8.0.0rc1
8.0.0
8.0.1
8.0.2
8.0.3
8.0.4
8.1.0
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
8.1.6
8.1.7
8.1.8
8.2.0
8.2.1
8.2.2
8.3.0
8.3.1
8.3.2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/click/PYSEC-2026-2132.yaml"