CVE-2026-42301
HIGHImproper Input Validation leading to Improper Control of Generation of Code ('Code Injection') in pyp2spec
Title source: cnaDescription
pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/befeleme/pyp2spec/security/advisories/GHSA-r35x-v8p8-xvhw
X_Refsource_Misc x_refsource_misc
https://github.com/befeleme/pyp2spec/releases/tag/v0.14.1
Scores
CVSS v3
7.8
EPSS
0.0001
EPSS Percentile
1.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-20
CWE-94
Status
published
Products (2)
befeleme/pyp2spec
< 0.14.1
pypi/pyp2spec
0 - 0.14.1PyPI
Published
May 09, 2026
Tracked Since
May 09, 2026