CVE-2026-42301 Unknown Vendor CVE debrief

Who should care

Fedora/RPM packagers, Python packaging maintainers, CI/CD owners, and anyone using pyp2spec to generate spec files from untrusted or third-party Python packages.

Technical summary

According to the CVE description and GitHub advisory references, pyp2spec versions prior to 0.14.1 copied PyPI metadata such as the summary field into generated RPM spec files without escaping RPM macro syntax. Because RPM spec processing evaluates macro directives during rpmbuild, attacker-controlled metadata could be interpreted as commands in the packaging context. The vulnerability is classified with CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and mapped to CWE-20 and CWE-94 in the supplied source data.

Defensive priority

High. This is a build-system compromise risk that can affect package signing, release pipelines, and downstream artifacts if pyp2spec is used on untrusted input.

Recommended defensive actions

• Upgrade pyp2spec to version 0.14.1 or later.
• Review any automation that generates RPM spec files from PyPI metadata and treat package metadata as untrusted input.
• Inspect generated spec files in packaging pipelines for unexpected RPM macro directives before running rpmbuild.
• Limit where builds run and apply least privilege to packaging environments to reduce impact if macro evaluation is triggered.
• If pyp2spec was used on third-party packages, audit recent build jobs and outputs for unexpected commands or spec-file content.

Evidence notes

The description is supported by the official CVE/NVD record and GitHub Security Advisory references included in the source corpus. The GitHub release tag for v0.14.1 is cited as the patch release, and the advisory URL is provided as the remediation reference. Timing context uses the supplied CVE published/modified timestamp of 2026-05-09T04:16:25.923Z; no other issue date is inferred.

Official resources