Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Admin credentials required (PR:H), victim must view payload (UI:R), stored XSS crosses browser context (S:C), with limited confidentiality and integrity impact and no availability impact.
Primary rating from Vendor (palo_alto).
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Lifecycle Timeline
2DescriptionCVE.org
A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface.
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prisma® Access are not affected by this vulnerability.
AnalysisAI
Stored cross-site scripting in Palo Alto Networks PAN-OS allows a malicious authenticated administrator to persist a JavaScript payload via the web management interface, enabling potential execution of that script in the browsers of other administrative users who view the affected interface element. Affected platforms include PA-Series and VM-Series physical and virtual firewalls as well as Panorama (both virtual appliances and M-Series hardware). The CVSS 4.0 base score of 1.1 reflects the extremely constrained exploitability: high-privilege access is a prerequisite and passive user interaction by a second victim is required. No public exploit identified at time of analysis.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) describes stored XSS, where attacker-controlled input is saved server-side and later rendered without adequate output encoding or sanitization into another user's browser context. In PAN-OS, the vulnerable surface is the web-based management UI. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:P) confirms this is a network-reachable stored XSS requiring no special attack conditions beyond administrative credentials and passive victim interaction. CPE strings list cpe:2.3:a:palo_alto_networks:pan-os, cpe:2.3:a:palo_alto_networks:cloud_ngfw, and cpe:2.3:a:palo_alto_networks:prisma_access; however, the authoritative description explicitly excludes Cloud NGFW and Prisma Access - the CPE scope appears broader than confirmed impact. The vulnerability does not cross system boundaries (SC:N/SI:N/SA:N in CVSS 4.0), limiting blast radius to the vulnerable system's integrity.
RemediationAI
Consult the Palo Alto Networks security advisory at https://security.paloaltonetworks.com/CVE-2026-0266 for patched version availability - no specific fixed version number is present in the available data, so a vendor-released patch version cannot be independently confirmed at this time. As a compensating control while awaiting a patch, restrict web management interface access to a dedicated out-of-band management network segment or jump host, ensuring only trusted, known-good administrator accounts can reach the PAN-OS management UI; this limits who can plant a payload but does not eliminate the risk from a rogue or compromised admin. Enforce multi-administrator role separation and audit web UI configuration changes via Panorama logs to detect unexpected configuration modifications that could indicate payload injection. Enabling multi-factor authentication for administrative accounts raises the bar for an external attacker to obtain the required high-privilege credentials.
More in Cloud Ngfw
View allAuthentication bypass in Palo Alto Networks PAN-OS allows unauthenticated network attackers to circumvent authentication
Heap-based buffer overflow in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS allows unauthenticated
Remote code execution and denial-of-service in Palo Alto Networks PAN-OS software stems from a buffer overflow in the IK
Denial of service conditions in Palo Alto Networks PAN-OS allow unauthenticated network attackers to crash firewall data
Multiple denial-of-service conditions in Palo Alto Networks PAN-OS allow unauthenticated remote attackers to crash or de
Command injection in Palo Alto Networks PAN-OS enables an authenticated administrator to escape system-enforced restrict
Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS allow an authenticated administrator to escape s
Privilege escalation in Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances allows an
Server-side request forgery in the IKEv2 implementation of Palo Alto Networks PAN-OS allows unauthenticated remote attac
Memory corruption in PAN-OS tunnel traffic processing allows an authenticated, adjacent-network attacker to force the fi
Stored cross-site scripting in Palo Alto Networks PAN-OS® web interface allows a malicious authenticated administrator t
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36134
GHSA-3xrx-45h3-29cm