{"id":"PYSEC-2026-3003","summary":"pyp2spec is Vulnerable to Code Injection","details":"### Impact\npyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine.\n\nThe macro evaluates during spec parsing, not only during the build step. Any rpm tool touching the generated spec triggers execution, `rpmbuild -bs`, `rpmbuild --nobuild`, `rpm -q --specfile`, so the victim doesn't need to commit to a full build before getting compromised. The realistic attack path is typosquatting or targeting a package known to be under Fedora review rather than drive-by publishing. Fedora packagers hold dist-git SSH keys, Koji build credentials, and Bodhi update credentials, so compromise of one packager's workstation enables committing malicious source to dist-git and riding it through the normal build pipeline to end users.\n\n### Patches\nPatched in 0.14.1.\n\n### Workarounds\nNone","aliases":["CVE-2026-42301","GHSA-r35x-v8p8-xvhw"],"modified":"2026-07-13T16:33:08.866706461Z","published":"2026-07-13T15:02:56.968679Z","references":[{"type":"WEB","url":"https://github.com/befeleme/pyp2spec/security/advisories/GHSA-r35x-v8p8-xvhw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42301"},{"type":"PACKAGE","url":"https://github.com/befeleme/pyp2spec"},{"type":"WEB","url":"https://github.com/befeleme/pyp2spec/releases/tag/v0.14.1"},{"type":"PACKAGE","url":"https://pypi.org/project/pyp2spec"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-r35x-v8p8-xvhw"}],"affected":[{"package":{"name":"pyp2spec","ecosystem":"PyPI","purl":"pkg:pypi/pyp2spec"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.14.1"}]}],"versions":["0.1.0","0.10.0","0.11.0","0.11.1","0.12.0","0.12.1","0.12.2","0.13.0","0.2.0","0.3.0","0.3.1","0.3.2","0.3.3","0.4.0","0.5.0","0.5.0a1","0.6.0","0.6.1","0.7.0","0.8.0","0.9.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/pyp2spec/PYSEC-2026-3003.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}