CVE-2026-47273 MEDIUM

CVE-2026-47273: pam_usb: XPath injection via PAM-supplied identifiers in pam_usb configuration queries

Vendor Mcdope
Product pam_usb
Weakness CWE-91 · XML injection
Published May 27, 2026
Last update May 28, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb builds XPath expressions from user-supplied identifiers (PAM username, service name) and device-supplied identifiers (USB device serial, model, vendor) to query /etc/pamusb.conf. These identifiers were not validated for XPath metacharacters, allowing injection of arbitrary XPath predicates. This vulnerability is fixed in 0.9.0.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 28, 2026 Record updated