High severity7.8GHSA Advisory· Published May 9, 2026· Updated May 13, 2026

CVE-2026-42301

Description

pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pyp2specPyPI	< 0.14.1	0.14.1

Affected products

Befeleme/Pyp2specGHSA
Range: < 0.14.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-r35x-v8p8-xvhwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-42301ghsaADVISORY
github.com/befeleme/pyp2spec/releases/tag/v0.14.1nvdWEB
github.com/befeleme/pyp2spec/security/advisories/GHSA-r35x-v8p8-xvhwnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000