XPath Injection Vulnerability in pam_usb Hardware Authentication
CVE-2026-47273

6.5MEDIUM

Key Information:

Vendor

Mcdope

Status
Pam Usb
Vendor
CVE Published:
27 May 2026

What is CVE-2026-47273?

The pam_usb module, which facilitates hardware authentication for Linux through ordinary removable media, is susceptible to an XPath injection vulnerability prior to version 0.9.0. The issue arises because it constructs XPath expressions using user-supplied identifiers (such as PAM usernames and service names) alongside device identifiers (like USB device serial numbers, models, and vendors) without validating these inputs for special XPath metacharacters. This flaw could allow malicious users to input arbitrary XPath predicates, potentially compromising the system's security by manipulating authentication checks. The vulnerability has been addressed and resolved in version 0.9.0 of pam_usb.

Affected Version(s)

pam_usb < 0.9.0

References

https://github.com/mcdope/pam_usb/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/mcdope/pam_usb/pull/311
x_refsource_MISC
https://github.com/mcdope/pam_usb/commit/721fed08a3596cb5...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.