Arbitrary Command Execution Vulnerability in pyp2spec Product by Befeleme
CVE-2026-42301

7.8HIGH

Key Information:

Vendor: Befeleme
Status: Pyp2spec
Vendor: CVE Published:; 9 May 2026

What is CVE-2026-42301?

The pyp2spec tool, used for generating Fedora RPM spec files for Python projects, had a critical issue before version 0.14.1. This vulnerability arose because it failed to properly escape RPM macro directives when writing PyPI package metadata into the generated spec files. If a packager utilizes an unpatched version and builds a malicious package using the rpmbuild command, it could lead to the execution of arbitrary commands on the host machine, compromising the build environment. The vulnerability was addressed in version 0.14.1, making it crucial for users to update their installations to ensure security.

Affected Version(s)

pyp2spec < 0.14.1

References

https://github.com/befeleme/pyp2spec/security/advisories/...

x_refsource_CONFIRM

https://github.com/befeleme/pyp2spec/releases/tag/v0.14.1

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 9, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42301 Data

JSON