CVE-2026-42301: Malicious Code Execution Via pyp2spec RPM Generation
The National Vulnerability Database has disclosed CVE-2026-42301, a high-severity vulnerability (CVSS 7.8) affecting pyp2spec prior to version 0.14.1. This tool, designed to generate Fedora RPM spec files for Python projects, inadvertently introduced a critical flaw. Specifically, pyp2spec was embedding PyPI package metadata, such as the summary field, directly into the generated spec file without proper escaping of RPM macro directives.
This oversight creates a dangerous pathway for attackers. A malicious PyPI package, crafted with specially formatted metadata, could embed executable RPM macro directives. When a packager subsequently runs rpmbuild on this compromised spec file, these directives are evaluated, allowing the malicious package to execute arbitrary commands on the build machine. This isn’t just a theoretical risk; it’s a direct supply chain attack vector against anyone building RPMs from PyPI sources using pyp2spec.
The implications for defenders are clear: trust in the build pipeline is paramount, and this vulnerability directly undermines it. An attacker doesn’t need to breach your network; they only need to get a malicious package into PyPI and wait for a developer to use pyp2spec. The issue has been patched in version 0.14.1, making immediate upgrades non-negotiable for anyone utilizing this tool.
What This Means For You
- If your organization uses `pyp2spec` to generate Fedora RPM spec files for Python projects, you are directly exposed to arbitrary code execution during the build process. Immediately identify all instances of `pyp2spec` in your build environments and upgrade them to version 0.14.1 or newer. Review your software supply chain for any reliance on this specific tool and ensure that all Python package sources are trusted, or implement strict sandboxing for RPM build operations.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42301: pyp2spec Unescaped RPM Macro Execution via PyPI Metadata
title: CVE-2026-42301: pyp2spec Unescaped RPM Macro Execution via PyPI Metadata
id: scw-2026-05-09-ai-1
status: experimental
level: high
description: |
Detects the execution of 'rpmbuild' with command lines containing unescaped RPM macro directives (e.g., '%{'). This is specific to CVE-2026-42301 where pyp2spec versions prior to 0.14.1 embed unescaped PyPI package metadata, such as the summary field, into generated spec files. When 'rpmbuild' processes these files, the unescaped macros are evaluated, leading to arbitrary command execution on the build machine.
author: SCW Feed Engine (AI-generated)
date: 2026-05-09
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42301/
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'rpmbuild'
CommandLine|contains:
- '%{'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42301 | RCE | pyp2spec versions prior to 0.14.1 |
| CVE-2026-42301 | Code Injection | pyp2spec writing PyPI package metadata into spec file without escaping RPM macro directives |
| CVE-2026-42301 | Command Injection | Malicious PyPI package metadata executing arbitrary commands via rpmbuild |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 09, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Hikvision Switches: Authenticated RCE in Discontinued Products
CVE-2026-3828 — Some Hikvision switch products (discontinued since December 2023) are vulnerable to authenticated remote command execution due to insufficient input validation. Attackers with valid...
CVE-2026-32683 — Some EZVIZ products utilize older versions of cloud feature
CVE-2026-32683 — Some EZVIZ products utilize older versions of cloud feature modules with legacy API interfaces, which pose a data transmission risk. Attackers can exploit...
CVE-2026-1749 — Some HikCentral Professional Versions. This Vulnerability
CVE-2026-1749 — There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.