CVE-2026-7246

Daily digests

The Pallets Click library (versions 8.3.2 and below) has a command injection bug in the click.edit() function. An attacker with an unprivileged account on the system can pass OS commands through this function and get them executed. If any of your Python apps or internal tools use click.edit(), they're potentially a stepping stone to full system compromise.

• Daily Digest · May 1, 2026

  WordPress auth bypass, CVSS 9.8, no creds needed