CVE-2026-42301

Name of the Vulnerable Software and Affected Versions pyp2spec versions prior to 0.14.1

Description pyp2spec writes PyPI package metadata, such as the summary field, into generated spec files without escaping RPM macro directives. When a packager uses tools like rpmbuild -bs, rpmbuild --nobuild, or rpm -q --specfile, these directives are evaluated, allowing a malicious package to execute arbitrary commands on the build machine. This execution occurs during spec parsing, meaning a full build is not required for compromise. Potential attack vectors include typosquatting or targeting packages under Fedora review, which could lead to the compromise of sensitive credentials such as dist-git SSH keys, Koji build credentials, and Bodhi update credentials.

Recommendations Update to version 0.14.1.