High severity7.8GHSA Advisory· Published May 9, 2026· Updated May 13, 2026
CVE-2026-42301
CVE-2026-42301
Description
pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyp2specPyPI | < 0.14.1 | 0.14.1 |
Affected products
2Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.