Improper Input Validation leading to Improper Control of Generation of...

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1.

Basic Information

ID CVE-2026-42301

Source GitHub_M

Published May 9, 2026 at 03:59

Affected Product

Vendor befeleme

Product pyp2spec

Version < 0.14.1

Affected Versions befeleme pyp2spec < 0.14.1

CWE Classification

CWE-20 CWE-94

References

{
    "lastseen": "",
    "description": "pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1.",
    "published": "2026-05-09T03:59:34.741Z",
    "modified": "2026-05-09T03:59:34.741Z",
    "type": "cve",
    "title": "Improper Input Validation leading to Improper Control of Generation of Code ('Code Injection') in pyp2spec",
    "source": "GitHub_M",
    "references": "https://github.com/befeleme/pyp2spec/security/advisories/GHSA-r35x-v8p8-xvhw\nhttps://github.com/befeleme/pyp2spec/releases/tag/v0.14.1",
    "id": "CVE-2026-42301",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20",
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "befeleme pyp2spec < 0.14.1",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "pyp2spec",
    "version": "< 0.14.1",
    "vendor": "befeleme",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Improper Input Validation leading to Improper Control of Generation of Code (‘Code Injection’) in pyp2spec_CVE-2026-42301