{
	"document":{
		"aggregate_severity":{
			"namespace":"https://nvd.nist.gov/vuln-metrics/cvss",
			"text":"High"
		},
		"category":"csaf_vex",
		"csaf_version":"2.0",
		"distribution":{
			"tlp":{
				"label":"WHITE",
				"url":"https:/www.first.org/tlp/"
			}
		},
		"lang":"en",
		"notes":[
			{
				"text":"python-click security update",
				"category":"general",
				"title":"Synopsis"
			},
			{
				"text":"An update for python-click is now available for openEuler-24.03-LTS",
				"category":"general",
				"title":"Summary"
			},
			{
				"text":"Click is a Python package for creating beautiful command line interfaces in a composable way with as little code as necessary. It's the "Command Line Interface Creation Kit". It's highly configurable but comes with sensible defaults out of the box.\n\nSecurity Fix(es):\n\nPallets Click, versions 8.3.2 and below, contains a command injection vulnerability in the click.edit() function. The vulnerability allows attackers to inject arbitrary OS commands through unsanitized filename parameters in the click.edit() function. Attackers can exploit this vulnerability to execute malicious commands from an unprivileged account, potentially leading to complete system compromise.(CVE-2026-7246)",
				"category":"general",
				"title":"Description"
			},
			{
				"text":"An update for python-click is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP3/openEuler-24.03-LTS-SP4.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.",
				"category":"general",
				"title":"Topic"
			},
			{
				"text":"High",
				"category":"general",
				"title":"Severity"
			},
			{
				"text":"python-click",
				"category":"general",
				"title":"Affected Component"
			}
		],
		"publisher":{
			"issuing_authority":"openEuler security committee",
			"name":"openEuler",
			"namespace":"https://www.openeuler.org",
			"contact_details":"openeuler-security@openeuler.org",
			"category":"vendor"
		},
		"references":[
			{
				"summary":"openEuler-SA-2026-2305",
				"category":"self",
				"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2305"
			},
			{
				"summary":"CVE-2026-7246",
				"category":"self",
				"url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-7246&packageName=python-click"
			},
			{
				"summary":"nvd cve",
				"category":"external",
				"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-7246"
			},
			{
				"summary":"openEuler-SA-2026-2305 vex file",
				"category":"self",
				"url":"https://repo.openeuler.org/security/data/csaf/advisories/2026/csaf-openeuler-sa-2026-2305.json"
			}
		],
		"title":"An update for python-click is now available for openEuler-24.03-LTS",
		"tracking":{
			"initial_release_date":"2026-05-15T22:04:06+08:00",
			"revision_history":[
				{
					"date":"2026-05-15T22:04:06+08:00",
					"summary":"Initial",
					"number":"1.0.0"
				}
			],
			"generator":{
				"date":"2026-05-15T22:04:06+08:00",
				"engine":{
					"name":"openEuler CSAF Tool V1.0"
				}
			},
			"current_release_date":"2026-05-15T22:04:06+08:00",
			"id":"openEuler-SA-2026-2305",
			"version":"1.0.0",
			"status":"final"
		}
	},
	"product_tree":{
		"branches":[
			{
				"name":"openEuler",
				"category":"vendor",
				"branches":[
					{
						"name":"openEuler",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS"
									},
									"product_id":"openEuler-24.03-LTS",
									"name":"openEuler-24.03-LTS"
								},
								"name":"openEuler-24.03-LTS",
								"category":"product_version"
							}
						],
						"category":"product_name"
					},
					{
						"name":"src",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS"
									},
									"product_id":"python-click-8.1.7-2.oe2403.src.rpm",
									"name":"python-click-8.1.7-2.oe2403.src.rpm"
								},
								"name":"python-click-8.1.7-2.oe2403.src.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					},
					{
						"name":"noarch",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS"
									},
									"product_id":"python-click-help-8.1.7-2.oe2403.noarch.rpm",
									"name":"python-click-help-8.1.7-2.oe2403.noarch.rpm"
								},
								"name":"python-click-help-8.1.7-2.oe2403.noarch.rpm",
								"category":"product_version"
							},
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS"
									},
									"product_id":"python3-click-8.1.7-2.oe2403.noarch.rpm",
									"name":"python3-click-8.1.7-2.oe2403.noarch.rpm"
								},
								"name":"python3-click-8.1.7-2.oe2403.noarch.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					}
				]
			}
		],
		"relationships":[
			{
				"relates_to_product_reference":"openEuler-24.03-LTS",
				"product_reference":"python-click-8.1.7-2.oe2403.src.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS:python-click-8.1.7-2.oe2403.src",
					"name":"python-click-8.1.7-2.oe2403.src as a component of openEuler-24.03-LTS"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-24.03-LTS",
				"product_reference":"python-click-help-8.1.7-2.oe2403.noarch.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS:python-click-help-8.1.7-2.oe2403.noarch",
					"name":"python-click-help-8.1.7-2.oe2403.noarch as a component of openEuler-24.03-LTS"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-24.03-LTS",
				"product_reference":"python3-click-8.1.7-2.oe2403.noarch.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS:python3-click-8.1.7-2.oe2403.noarch",
					"name":"python3-click-8.1.7-2.oe2403.noarch as a component of openEuler-24.03-LTS"
				},
				"category":"default_component_of"
			}
		]
	},
	"vulnerabilities":[
		{
			"cve":"CVE-2026-7246",
			"notes":[
				{
					"text":"Pallets Click, versions 8.3.2 and below, contains a command injection vulnerability in the click.edit() function. The vulnerability allows attackers to inject arbitrary OS commands through unsanitized filename parameters in the click.edit() function. Attackers can exploit this vulnerability to execute malicious commands from an unprivileged account, potentially leading to complete system compromise.",
					"category":"description",
					"title":"Vulnerability Description"
				}
			],
			"product_status":{
				"fixed":[
					"openEuler-24.03-LTS:python-click-8.1.7-2.oe2403.src",
					"openEuler-24.03-LTS:python-click-help-8.1.7-2.oe2403.noarch",
					"openEuler-24.03-LTS:python3-click-8.1.7-2.oe2403.noarch"
				]
			},
			"remediations":[
				{
					"product_ids":{"$ref":"$.vulnerabilities[0].product_status.fixed"},
					"details":"python-click security update",
					"category":"vendor_fix",
					"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2305"
				}
			],
			"scores":[
				{
					"cvss_v3":{
						"baseSeverity":"HIGH",
						"baseScore":7.2,
						"vectorString":"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
						"version":"3.1"
					},
					"products":{"$ref":"$.vulnerabilities[0].product_status.fixed"}
				}
			],
			"threats":[
				{
					"details":"High",
					"category":"impact"
				}
			],
			"title":"CVE-2026-7246"
		}
	]
}