{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"HIGH" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"Pallets Click, versions 8.3.2 and below, contains a command injection vulnerability in the click.edit() function. The vulnerability allows attackers to inject arbitrary OS commands through unsanitized filename parameters in the click.edit() function. Attackers can exploit this vulnerability to execute malicious commands from an unprivileged account, potentially leading to complete system compromise.", "category":"general", "title":"Synopsis" } ], "publisher":null, "references":[ { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-7246" }, { "summary":"CVE-2026-7246 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/cve/2026/csaf-openeuler-cve-2026-7246.json" }, { "summary":"openEuler-SA-2026-2305", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2305" }, { "summary":"CVE-2026-7246", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-7246&packageName=python-click" } ], "title":"openEuler cve CVE-2026-7246", "tracking":{ "initial_release_date":"2026-05-18T10:35:18+08:00", "revision_history":[ { "date":"2026-05-18T10:35:18+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2026-05-18T10:35:18+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2026-05-18T10:35:18+08:00", "id":"CVE-2026-7246", "version":"1.0.0", "status":"interim" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"openEuler-24.03-LTS", "name":"openEuler-24.03-LTS" }, "name":"openEuler-24.03-LTS", "category":"product_version" } ], "category":"product_name" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"python-click-8.1.7-2.oe2403.src.rpm", "name":"python-click-8.1.7-2.oe2403.src.rpm" }, "name":"python-click-8.1.7-2.oe2403.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"python-click-help-8.1.7-2.oe2403.noarch.rpm", "name":"python-click-help-8.1.7-2.oe2403.noarch.rpm" }, "name":"python-click-help-8.1.7-2.oe2403.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"python3-click-8.1.7-2.oe2403.noarch.rpm", "name":"python3-click-8.1.7-2.oe2403.noarch.rpm" }, "name":"python3-click-8.1.7-2.oe2403.noarch.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"python-click-8.1.7-2.oe2403.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:python-click-8.1.7-2.oe2403.src", "name":"python-click-8.1.7-2.oe2403.src as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"python-click-help-8.1.7-2.oe2403.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:python-click-help-8.1.7-2.oe2403.noarch", "name":"python-click-help-8.1.7-2.oe2403.noarch as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"python3-click-8.1.7-2.oe2403.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:python3-click-8.1.7-2.oe2403.noarch", "name":"python3-click-8.1.7-2.oe2403.noarch as a component of openEuler-24.03-LTS" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2026-7246", "notes":[ { "text":"Pallets Click, versions 8.3.2 and below, contains a command injection vulnerability in the click.edit() function. The vulnerability allows attackers to inject arbitrary OS commands through unsanitized filename parameters in the click.edit() function. Attackers can exploit this vulnerability to execute malicious commands from an unprivileged account, potentially leading to complete system compromise.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:python-click-8.1.7-2.oe2403.src", "openEuler-24.03-LTS:python-click-help-8.1.7-2.oe2403.noarch", "openEuler-24.03-LTS:python3-click-8.1.7-2.oe2403.noarch" ] }, "remediations":[ { "product_ids":{ "$ref":"$.vulnerabilities[0].product_status.fixed" }, "details":"python-click security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2305" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.2, "vectorString":"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version":"3.1" }, "products":{ "$ref":"$.vulnerabilities[0].product_status.fixed" } } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2026-7246" } ] }