pyp2spec is Vulnerable to Code Injection — CVE-2026-42301
GitHub · GitHub · CVE-2026-42301
ID
CVE-2026-42301
CVE-2026-42301
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
7.8
7.8
EPSS
0.00025
0.00025
Summary
### Impact pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. The macro evaluates during spec parsing, not only during the build step. Any rpm tool touching the generated spec triggers…
Product
pip: pyp2spec
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.