CVE-2026-42301

Source
https://cve.org/CVERecord?id=CVE-2026-42301
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42301.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42301
Aliases
Published
2026-05-09T03:59:34.741Z
Modified
2026-07-13T16:43:26.704373754Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Improper Input Validation leading to Improper Control of Generation of Code ('Code Injection') in pyp2spec
Details

pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20",
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42301.json"
}
References

Affected packages

Git / github.com/befeleme/pyp2spec

Affected ranges

Type
GIT
Repo
https://github.com/befeleme/pyp2spec
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.14.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.1.0
v0.10.0
v0.11.0
v0.11.1
v0.12.0
v0.12.1
v0.12.2
v0.13.0
v0.2.0
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.4.0
v0.5.0
v0.6.0
v0.6.1
v0.7.0
v0.8.0
v0.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42301.json"