CVE-2026-47273— pam_usb: XPath injection via PAM-supplied identifiers in pam_usb configuration queries

CVSS 6.5 · Medium EPSS 0.27% · P19 Updated May 28, 2026

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application

Affected Version Matrix 1

Vendor	Product	Version Range	Status
mcdope	pam_usb	`< 0.9.0`	affected

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-47273

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

pam_usb: XPath injection via PAM-supplied identifiers in pam_usb configuration queries

Source: NVD (National Vulnerability Database)

Vulnerability Description

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb builds XPath expressions from user-supplied identifiers (PAM username, service name) and device-supplied identifiers (USB device serial, model, vendor) to query /etc/pamusb.conf. These identifiers were not validated for XPath metacharacters, allowing injection of arbitrary XPath predicates. This vulnerability is fixed in 0.9.0.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

XML注入(XPath盲注)

Source: NVD (National Vulnerability Database)

Vulnerability Title

pam_usb 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

pam_usb是McDope个人开发者的一个基于USB设备的Linux硬件认证工具。 pam_usb 0.9.0之前版本存在安全漏洞，该漏洞源于未对用户和设备提供的标识符进行XPath元字符验证，可能导致XPath注入。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
mcdope	pam_usb	< 0.9.0	-

II. Public POCs for CVE-2026-47273

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-47273

请登录查看更多情报信息。

Patches & Fixes for CVE-2026-47273 (2)

🔗 Reject unsafe config XPath ids by dicnunz · Pull Request #311 · mcdope/pam_usb · GitHub Read full article x_refsource_MISC
🔗 Reject unsafe config XPath ids · mcdope/pam_usb@721fed0 · GitHub Read full article x_refsource_MISC

Vendor Advisories for CVE-2026-47273 (1)

🔗 XPath injection via PAM-supplied identifiers in pam_usb configuration queries · Advisory · mcdope/pam_usb · GitHubx_refsource_CONFIRM

https://nvd.nist.gov/vuln/detail/CVE-2026-47273

Same Patch Batch · mcdope · 2026-05-27 · 15 CVEs total

CVE-2026-44713	8.8 HIGH	pam_usb: Command injection via $TMUX environment variable leads to RCE as root
CVE-2026-44712	8.2 HIGH	pam_usb: Shell injection via device UUID and username in pamusb-conf and pamusb-agent
CVE-2026-48064	8.1 HIGH	pam_usb: PAM_RHOST check skipped when deny_remote=false allows XDMCP authentication bypass
CVE-2026-44711	7.9 HIGH	pam_usb: Symlink attacks on pad directory and pad files enable authentication bypass and r
CVE-2026-44709	7.8 HIGH	pam_usb: PINENTRY_FALLBACK_APP environment variable allows arbitrary command execution
CVE-2026-47269	7.4 HIGH	pam_usb: deny_remote feature incorrectly classifies IPv4-mapped IPv6 remote connections as
CVE-2026-47272	7.1 HIGH	pam_usb: OTP pad authentication bypass via missing system pad check and uninitialized RNG
CVE-2026-48065	6.7 MEDIUM	pam_usb: Unchecked integer multiplication before xmalloc() in conf.c allows heap-based buf
CVE-2026-47274	6.3 MEDIUM	pam_usb: Uncontrolled search path in pam_usb tools allows privilege escalation via PATH ma
CVE-2026-47270	6.3 MEDIUM	pam_usb: strtok() race condition in multi-threaded PAM hosts can corrupt deny_remote resul
CVE-2026-48066	5.7 MEDIUM	pam_usb: Thread-unsafe static pointer in log.c causes data race under concurrent PAM authe
CVE-2026-47271	5.1 MEDIUM	pam_usb: OOM guards removed by -DNDEBUG cause NULL dereference and authentication process
CVE-2026-44710	4.6 MEDIUM	pam_usb: NULL pointer dereference from UDisks device fields causes PAM crash and login den
CVE-2026-48792	4.4 MEDIUM	pam_usb: pusb_has_virtual_input_device() silently discards EACCES, disabling remote deskto

IV. Related Vulnerabilities

Same product: pam_usb

Same vendor: mcdope

Same weakness: CWE-91

V. Comments for CVE-2026-47273

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-47273— pam_usb: XPath injection via PAM-supplied identifiers in pam_usb configuration queries

Possible ATT&CK Techniques 1AI

Affected Version Matrix 1

I. Basic Information for CVE-2026-47273

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-47273

III. Intelligence Information for CVE-2026-47273

Patches & Fixes for CVE-2026-47273 (2)

Vendor Advisories for CVE-2026-47273 (1)

Same Patch Batch · mcdope · 2026-05-27 · 15 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-47273

Leave a comment