CVE-2026-42301

CVE Database · CVE-2026-42301

CVE-2026-42301

· HIGHDeferred

CVSS v3.1

7.8

EPSS

0.20%

Published

May 9, 2026

Modified

May 13, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-20CWE-94

References (2)

https://github.com/befeleme/pyp2spec/releases/tag/v0.14.1

https://github.com/befeleme/pyp2spec/security/advisories/GHSA-r35x-v8p8-xvhw

KEV Catalog EPSS Scores Vendors All CVEs