CVE-2026-47273

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.0

Description pam usb provides hardware authentication for Linux using removable media. The software builds XPath expressions to query /etc/pamusb.conf using identifiers supplied by the user (PAM username, service name) and the device (USB device serial, model, vendor). Because these identifiers are not validated for XPath metacharacters, it is possible to inject arbitrary XPath predicates. XPath injection is a technique where an attacker inserts malicious code into an XPath query to manipulate the data returned by the application.

Recommendations Update to version 0.9.0.