Pallets Click suffers a command injection flaw in the click.edit() function that allows an attacker to supply a malformed filename containing arbitrary operating‑system commands. The result is the execution of those commands with the privileges of the user running the application, leading to complete compromise of the affected system. The weakness is an example of uncontrolled command injection, identified as CWE‑77 and CWE‑78. The likely attack vector is inferred from the description as an attacker supplying an unsanitized filename to click.edit() through user input or configuration, which enables the injection of OS commands.

Versions of Pallets Click up to and including 8.3.2 are vulnerable. All users of these releases that invoke click.edit() with filenames derived from untrusted input may be affected.

A CVSS score of 7.2 signals a high‑severity vulnerability. An EPSS score of 0.00026 (< 1%) is reported, indicating a very low, but non‑zero likelihood of exploitation in environments where click.edit() is exposed. The vulnerability is not currently listed in the CISA KEV catalog, yet the impact and potential scope—full code execution on the host—classifies it as a high‑risk issue. Based on the description, the likely attack vector is inferred as an attacker controlling the filename argument passed to click.edit(), a scenario commonly realized through user‑supplied arguments or configuration values. Attack prerequisites are minimal: the attacker must be able to influence the filename passed to click.edit().