CVE-2026-42301: pyp2spec RPM Macro Injection Flaw Exposes Fedora Packagers to Supply Chain Risk

A high-severity vulnerability tracked as CVE-2026-42301 has been disclosed in pyp2spec, a tool widely used to generate Fedora RPM spec files for Python projects. Rated 7.8 on the CVSS scale, the flaw could allow malicious PyPI package metadata to inject arbitrary RPM macro directives into generated spec files, potentially compromising the build environments of packagers who process untrusted Python packages.

Prior to version 0.14.1, pyp2spec failed to escape RPM macro directives when writing PyPI package metadata—such as the summary field—into generated spec files. This oversight creates a code injection vector: a malicious actor could publish a Python package to PyPI with crafted metadata containing RPM macros, which would then be executed when a packager generates a spec file using the vulnerable tool. The attack surface spans the Fedora packaging ecosystem, where pyp2spec is commonly used to streamline the creation of RPM packages from Python projects.

The vulnerability underscores persistent risks in software supply chain tooling, where trust boundaries between upstream repositories and downstream packaging systems remain inadequately enforced. While there is no indication of active exploitation in the wild, the flaw highlights how build-time tools can become unwitting conduits for malicious code execution. Fedora maintainers and downstream packagers are advised to upgrade to pyp2spec version 0.14.1 or later and to exercise caution when processing packages from untrusted or unknown PyPI sources.