CVE-2026-42301 HIGH

CVE-2026-42301: Improper Input Validation leading to Improper Control of Generation of Code ('Code Injection') in pyp2spec

Vendor Befeleme

Product pyp2spec

Weakness CWE-20 · Input validation

Published May 9, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

7.8/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1.

Key dates

02Disclosure timeline

May 9, 2026 CVE published

May 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-42301 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2026-42301: Improper Input Validation leading to Improper Control of Generation of Code ('Code Injection') in pyp2spec

01Description

02Disclosure timeline

03References

04Related CVE