Skip to main content

PAN-OS CVE-2026-0266

| EUVDEUVD-2026-36134 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-06-10 palo_alto GHSA-3xrx-45h3-29cm
1.1
CVSS 4.0 · Vendor: palo_alto

Severity by source

Vendor (palo_alto) PRIMARY
1.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
vuln.today AI
4.8 MEDIUM

Admin credentials required (PR:H), victim must view payload (UI:R), stored XSS crosses browser context (S:C), with limited confidentiality and integrity impact and no availability impact.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from Vendor (palo_alto).

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 10, 2026 - 22:01 EUVD
Analysis Generated
Jun 10, 2026 - 21:22 vuln.today

DescriptionCVE.org

A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface.

This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).

Cloud NGFW and Prisma® Access are not affected by this vulnerability.

AnalysisAI

Stored cross-site scripting in Palo Alto Networks PAN-OS allows a malicious authenticated administrator to persist a JavaScript payload via the web management interface, enabling potential execution of that script in the browsers of other administrative users who view the affected interface element. Affected platforms include PA-Series and VM-Series physical and virtual firewalls as well as Panorama (both virtual appliances and M-Series hardware). The CVSS 4.0 base score of 1.1 reflects the extremely constrained exploitability: high-privilege access is a prerequisite and passive user interaction by a second victim is required. No public exploit identified at time of analysis.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) describes stored XSS, where attacker-controlled input is saved server-side and later rendered without adequate output encoding or sanitization into another user's browser context. In PAN-OS, the vulnerable surface is the web-based management UI. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:P) confirms this is a network-reachable stored XSS requiring no special attack conditions beyond administrative credentials and passive victim interaction. CPE strings list cpe:2.3:a:palo_alto_networks:pan-os, cpe:2.3:a:palo_alto_networks:cloud_ngfw, and cpe:2.3:a:palo_alto_networks:prisma_access; however, the authoritative description explicitly excludes Cloud NGFW and Prisma Access - the CPE scope appears broader than confirmed impact. The vulnerability does not cross system boundaries (SC:N/SI:N/SA:N in CVSS 4.0), limiting blast radius to the vulnerable system's integrity.

RemediationAI

Consult the Palo Alto Networks security advisory at https://security.paloaltonetworks.com/CVE-2026-0266 for patched version availability - no specific fixed version number is present in the available data, so a vendor-released patch version cannot be independently confirmed at this time. As a compensating control while awaiting a patch, restrict web management interface access to a dedicated out-of-band management network segment or jump host, ensuring only trusted, known-good administrator accounts can reach the PAN-OS management UI; this limits who can plant a payload but does not eliminate the risk from a rogue or compromised admin. Enforce multi-administrator role separation and audit web UI configuration changes via Panorama logs to detect unexpected configuration modifications that could indicate payload injection. Enabling multi-factor authentication for administrative accounts raises the bar for an external attacker to obtain the required high-privilege credentials.

CVE-2026-0265 HIGH
7.2 May 13

Authentication bypass in Palo Alto Networks PAN-OS allows unauthenticated network attackers to circumvent authentication

CVE-2026-0264 HIGH
7.2 May 13

Heap-based buffer overflow in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS allows unauthenticated

CVE-2026-0263 HIGH
7.2 May 13

Remote code execution and denial-of-service in Palo Alto Networks PAN-OS software stems from a buffer overflow in the IK

CVE-2026-0287 MEDIUM
6.6 Jul 09

Denial of service conditions in Palo Alto Networks PAN-OS allow unauthenticated network attackers to crash firewall data

CVE-2026-0262 MEDIUM
6.6 May 13

Multiple denial-of-service conditions in Palo Alto Networks PAN-OS allow unauthenticated remote attackers to crash or de

CVE-2026-0273 MEDIUM
6.1 Jun 10

Command injection in Palo Alto Networks PAN-OS enables an authenticated administrator to escape system-enforced restrict

CVE-2026-0261 MEDIUM
6.1 May 13

Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS allow an authenticated administrator to escape s

CVE-2026-0272 MEDIUM
6.0 Jun 10

Privilege escalation in Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances allows an

CVE-2026-0258 MEDIUM
4.8 May 13

Server-side request forgery in the IKEv2 implementation of Palo Alto Networks PAN-OS allows unauthenticated remote attac

CVE-2026-0269 MEDIUM
4.6 Jun 10

Memory corruption in PAN-OS tunnel traffic processing allows an authenticated, adjacent-network attacker to force the fi

CVE-2026-0256 MEDIUM
4.4 May 13

Stored cross-site scripting in Palo Alto Networks PAN-OS® web interface allows a malicious authenticated administrator t

Share

CVE-2026-0266 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy