Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Primary rating from Vendor (palo_alto) · only source for this CVE.
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability in Palo Alto Networks Broker VM allows an authenticated administrator to inject arbitrary content into certain Broker VM fields.
AnalysisAI
Content injection in Palo Alto Networks Broker VM 30.0 (versions prior to 30.0.24) allows an authenticated administrator with local access to inject arbitrary content into certain administrative fields within the appliance. The vulnerability carries a CVSS 4.0 score of 1.1, reflecting its highly constrained exploitation prerequisites: local access, low-privilege authentication, and limited integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis, and SSVC assessment confirms no observed exploitation, making this a low-urgency finding for most organizations.
Technical ContextAI
Palo Alto Networks Broker VM is a virtual appliance that functions as an intermediary for cloud-delivered security services, brokering traffic between enterprise environments and Palo Alto's cloud infrastructure. The vulnerability is rooted in CWE-20 (Improper Input Validation), meaning certain administrator-facing input fields in the Broker VM management interface fail to adequately sanitize or restrict the content that can be submitted. This allows injection of arbitrary content - likely affecting stored data, configuration fields, or log entries - rather than achieving remote code execution. The CPE string (cpe:2.3:a:palo_alto_networks:broker_vm:*:*:*:*:*:*:*:*) confirms the flaw is in the Broker VM application itself, and EUVD data narrows the affected scope to the 30.0 release train, specifically builds below 30.0.24.
RemediationAI
The vendor-released patch is Broker VM 30.0.24, which resolves the improper input validation defect. Organizations running Broker VM 30.0 prior to 30.0.24 should upgrade to 30.0.24 or later per the Palo Alto Networks advisory at https://security.paloaltonetworks.com/CVE-2026-0238. Because exploitation requires an authenticated administrator session with local access, the immediate compensating control - if patching is delayed - is to enforce strict administrative account hygiene: apply multi-factor authentication to all Broker VM administrator accounts, restrict console and management interface access to dedicated jump hosts, and audit administrator activity logs for anomalous field modifications. These controls directly address the attack surface by limiting who can reach the vulnerable input fields. No significant trade-offs apply to the patch itself; upgrade impact should be assessed per standard Palo Alto Networks VM maintenance procedures.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30090
GHSA-gxm4-cg9r-54vw