VYPR

Click

by Pallets

Source repositories

CVEs (2)

  • CVE-2015-8768CriFeb 13, 2017
    risk 0.64cvss 9.8epss 0.03

    click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges via a crafted package, as demonstrated by the test.mmrow app for Ubuntu phone.

  • CVE-2026-7246HigApr 30, 2026
    risk 0.40cvss 7.2epss 0.01

    Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account.