Primary

Context

Pallets Click Command Injection Vulnerability in click.edit() Function

Vulnerability

A command injection vulnerability has been identified in Pallets Click versions prior to 8.3.3. The issue arises in the click.edit() function, where unsanitized filenames are passed to the operating system command interface. This allows attackers to execute arbitrary commands from an unprivileged account.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host operating system.

Reproduction

To reproduce this vulnerability, use a version of Pallets Click prior to 8.3.3. The vulnerability can be triggered by calling the click.edit() function with a filename that includes double-quote characters and shell metacharacters. The injected command will be executed in the shell because the filename is not properly sanitized before being passed to subprocess.Popen() with shell=True.

Remediation

Users are advised to upgrade to Pallets Click version 8.3.3 or later.

Added: Apr 30, 2026, 2:21 PM

Updated: Apr 30, 2026, 2:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.0

remediation

0.0

relevance

7.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.0

remediation

0.0

relevance

7.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Pallets Click Command Injection Vulnerability in click.edit() Function

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating