CVE-2026-7246 is a high-severity command injection vulnerability in Pallets Click versions 8.3.2 and below. The vulnerability exists in the click.edit() function and allows attackers to pass arbitrary OS commands from an unprivileged account. The CVSS score for this vulnerability is 7.2, indicating a high level of severity. The vulnerability was published on April 30, 2026, and last modified on June 30, 2 [truncated]
CVE-2023-46136 is a denial-of-service issue in Werkzeug’s multipart upload handling. A crafted file upload that begins with CR or LF and is followed by large amounts of data can cause boundary searches to run on a growing buffer, consuming CPU and potentially blocking worker processes that should handle legitimate requests. The issue is fixed in Werkzeug 3.0.1 and 2.3.8.