PYSEC-2026-3003

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pyp2spec/PYSEC-2026-3003.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-3003
Aliases
Published
2026-07-13T15:02:56.968679Z
Modified
2026-07-13T16:33:08.866706461Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
pyp2spec is Vulnerable to Code Injection
Details

Impact

pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine.

The macro evaluates during spec parsing, not only during the build step. Any rpm tool touching the generated spec triggers execution, rpmbuild -bs, rpmbuild --nobuild, rpm -q --specfile, so the victim doesn't need to commit to a full build before getting compromised. The realistic attack path is typosquatting or targeting a package known to be under Fedora review rather than drive-by publishing. Fedora packagers hold dist-git SSH keys, Koji build credentials, and Bodhi update credentials, so compromise of one packager's workstation enables committing malicious source to dist-git and riding it through the normal build pipeline to end users.

Patches

Patched in 0.14.1.

Workarounds

None

References

Affected packages

PyPI / pyp2spec

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.14.1

Affected versions

0.*
0.1.0
0.2.0
0.3.0
0.3.1
0.3.2
0.3.3
0.4.0
0.5.0a1
0.5.0
0.6.0
0.6.1
0.7.0
0.8.0
0.9.0
0.10.0
0.11.0
0.11.1
0.12.0
0.12.1
0.12.2
0.13.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pyp2spec/PYSEC-2026-3003.yaml"