XML External Entity Vulnerability in pam_usb by mcdope
CVE-2026-48981

6.7MEDIUM

Key Information:

Vendor: Mcdope
Status: Pam Usb
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-48981?

A security flaw in pam_usb prior to version 0.9.2 allows external entity references to be processed during XML configuration file loading. This vulnerability can permit unauthorized outbound network connections or local file reads within the context of the authenticating process. Although exploitation requires prior write access to the root-owned pam_usb.conf file, the potential impact is significant due to the privileged nature of pam_usb.so running in setuid contexts. Users are strongly advised to upgrade to version 0.9.2 or later to mitigate this risk.

Affected Version(s)

pam_usb < 0.9.2

References

https://github.com/mcdope/pam_usb/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/mcdope/pam_usb/releases/tag/0.9.2

x_refsource_MISC

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-48981 Data

JSON

Mcdope

What is CVE-2026-48981?

Affected Version(s)

References

CVSS V3.1

Timeline