CVE-2026-42301
Received Received - Intake
Command Injection in pyp2spec Prior to Version 0.14.1

Publication date: 2026-05-09

Last updated on: 2026-05-09

Assigner: GitHub, Inc.

Description
pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-09
Last Modified
2026-05-09
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42301
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
befeleme pyp2spec to 0.14.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in pyp2spec versions before 0.14.1 involves improper input validation where PyPI package metadata, such as the summary field, was written directly into generated RPM spec files without escaping RPM macro directives.

When these spec files are processed by rpmbuild or other RPM tools, the unescaped macro directives can be evaluated and executed, allowing a malicious package to run arbitrary commands on the build machine.

This can be exploited through typosquatting or targeting packages under Fedora review, potentially compromising the packager's workstation and leading to malicious source commits.

The issue was fixed in version 0.14.1.

Compliance Impact

This vulnerability allows arbitrary code execution on the build machine by exploiting improper input validation in pyp2spec, potentially compromising the confidentiality, integrity, and availability of the system.

Such a compromise could lead to unauthorized access or modification of sensitive data during the software build process, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of data confidentiality and integrity.

Specifically, if the build environment handles regulated data or is part of a pipeline that processes such data, this vulnerability could increase the risk of data breaches or unauthorized data manipulation, thereby affecting compliance.

Impact Analysis

This vulnerability can lead to arbitrary code execution on the build machine when a malicious package is processed by rpmbuild.

As a result, an attacker could compromise the packager's workstation, potentially gaining access to sensitive data, altering source code repositories with malicious commits, and disrupting the build process.

The CVSS score of 7.8 indicates a high severity with significant impacts on confidentiality, integrity, and availability.

Detection Guidance

This vulnerability involves pyp2spec versions before 0.14.1 writing unescaped PyPI package metadata into RPM spec files, which can lead to code execution when rpmbuild processes these files.

To detect this vulnerability on your system, you should check the version of pyp2spec installed and inspect generated RPM spec files for unescaped RPM macro directives in metadata fields such as the summary.

Suggested commands include:

  • Check pyp2spec version: `pyp2spec --version`
  • Search generated spec files for suspicious macro directives in metadata fields, for example: `grep -E '%\{.*\}' /path/to/generated/specfile.spec`
  • Review recent spec files for unusual or unexpected macro expansions that could indicate injected commands.
Mitigation Strategies

The primary mitigation step is to upgrade pyp2spec to version 0.14.1 or later, where this vulnerability has been patched.

Until the upgrade is applied, avoid building RPMs from spec files generated by vulnerable versions of pyp2spec, especially those containing untrusted or external PyPI package metadata.

Additionally, review and sanitize any spec files generated by vulnerable versions before running rpmbuild to prevent execution of malicious macro directives.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42301. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart