PatchSiren

Palletsprojects CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Palletsprojects CVE published 2026-04-30

CVE-2026-7246

CVE-2026-7246 is a high-severity command injection vulnerability in Pallets Click versions 8.3.2 and below. The vulnerability exists in the click.edit() function and allows attackers to pass arbitrary OS commands from an unprivileged account. The CVSS score for this vulnerability is 7.2, indicating a high level of severity. The vulnerability was published on April 30, 2026, and last modified on June 30, 2 [truncated]

HIGH Palletsprojects CVE published 2023-10-25

CVE-2023-46136

CVE-2023-46136 is a denial-of-service issue in Werkzeug’s multipart upload handling. A crafted file upload that begins with CR or LF and is followed by large amounts of data can cause boundary searches to run on a growing buffer, consuming CPU and potentially blocking worker processes that should handle legitimate requests. The issue is fixed in Werkzeug 3.0.1 and 2.3.8.