Description
pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1.
Published: 2026-05-09
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

pyp2spec was generating Fedora RPM spec files from Python project metadata. Prior to version 0.14.1, the tool wrote the package summary field directly into the spec file without escaping RPM macro syntax. When a builder ran rpmbuild, those unsanitized macro directives were interpreted and executed, giving an attacker the ability to run arbitrary commands on the build host. This is a classic code‑injection flaw that compromises the integrity and confidentiality of the build environment.

Affected Systems

All installations of befeleme pyp2spec older than version 0.14.1 are vulnerable. Any build workflow that processes PyPI metadata with this tool and subsequently invokes rpmbuild is at risk.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the EPSS score is unavailable, so exact exploitation likelihood is unknown. The vulnerability is not listed in CISA KEV. Attackers would need to supply or influence PyPI package metadata for a target, such as an untrusted package or a malicious contributor. Based on the description, it is inferred that the attack vector is local, requiring control over the metadata source or the build process. If executed, an attacker can achieve arbitrary command execution on the build machine.

Generated by OpenCVE AI on May 9, 2026 at 05:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pyp2spec to version 0.14.1 or later
  • If upgrading is not immediately possible, regenerate any spec files using the patched tool or manually sanitize the summary field to remove or escape any RPM macro characters
  • For protection during the transition, run rpmbuild in a restricted, isolated environment and audit the spec files for unintended macro expansions

Generated by OpenCVE AI on May 9, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r35x-v8p8-xvhw pyp2spec is Vulnerable to Code Injection
History

Sat, 09 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1.
Title Improper Input Validation leading to Improper Control of Generation of Code ('Code Injection') in pyp2spec
Weaknesses CWE-20
CWE-94
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T03:59:34.741Z

Reserved: 2026-04-26T12:13:55.552Z

Link: CVE-2026-42301

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T04:16:25.923

Modified: 2026-05-09T04:16:25.923

Link: CVE-2026-42301

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T06:00:12Z

Weaknesses