Skip to main content

PAN-OS EUVDEUVD-2026-42682

| CVE-2026-0279 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 psirt@paloaltonetworks.com GHSA-6cj9-cg4w-4m7x
1.3
CVSS 4.0 · Vendor: paloaltonetworks

Severity by source

Vendor (paloaltonetworks) PRIMARY
1.3 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
vuln.today AI
6.1 MEDIUM

Network-reachable XSS requiring victim page load (UI:R); scope changes to victim browser context (S:C); no auth needed to inject payload (PR:N); no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (paloaltonetworks).

CVSS VectorVendor: paloaltonetworks

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 20:01 EUVD
Analysis Generated
Jul 09, 2026 - 19:37 vuln.today

DescriptionCVE.org

Multiple cross site scripting vulnerabilities in the User-ID™ Authentication Portal (aka Captive Portal) service, GlobalProtect™ gateway/portal features and Clientless VPN of Palo Alto Networks PAN-OS® software enables a malicious unauthenticated user to store or execute malicious JavaScript payload.

The security risk posed by this issue is minimized when the management interface and access to the User-ID™ Authentication Portal is restricted to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .

This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).

Cloud NGFW is not affected by this vulnerability.

AnalysisAI

Multiple stored and reflected cross-site scripting vulnerabilities in PAN-OS expose the User-ID Authentication Portal (Captive Portal), GlobalProtect gateway/portal, and Clientless VPN web interfaces to unauthenticated attackers who can inject and execute arbitrary JavaScript in victim browsers. Affected deployments span PA-Series and VM-Series firewalls and Panorama management platforms; Cloud NGFW is explicitly not affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-exposed GlobalProtect portal or Clientless VPN
Delivery
Submit crafted XSS payload into user-controlled input field
Exploit
Payload stored or reflected in portal page
Execution
Victim user loads affected page during authentication
Persist
Browser executes attacker JavaScript
Impact
Exfiltrate session cookies or redirect to phishing page

Vulnerability AssessmentAI

Exploitation Exploitation requires a victim user to load the affected web page in their browser (UI:P - passive user interaction). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.0 score of 1.3 - derived from a base that would otherwise score moderately - is strongly attenuated by the E:U (exploit unreported) supplemental metric, reflecting the current absence of known public exploits or active exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a publicly accessible Palo Alto GlobalProtect portal or Clientless VPN login page and submits a crafted JavaScript payload into a user-controlled input field (such as a login form or redirect parameter), which is then stored or reflected in subsequent page responses. A legitimate employee visiting the portal to authenticate has the attacker's script silently execute in their browser, potentially exfiltrating session tokens, authentication cookies, or credentials to an attacker-controlled endpoint. …
Remediation Consult the Palo Alto Networks security advisory at https://security.paloaltonetworks.com/CVE-2026-0279 for exact patched PAN-OS versions and upgrade instructions; specific fix versions are not available in the current data set and should not be assumed. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Pan Os

View all
CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2016-4971 HIGH POC
8.8 Jun 30

GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted F

CVE-2016-9150 CRITICAL POC
9.8 Nov 19

Buffer overflow in the management web interface in Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x b

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

CVE-2025-0111 HIGH
7.1 Feb 12

Palo Alto Networks PAN-OS management interface contains an authenticated file read vulnerability allowing reading of fil

CVE-2024-0012 CRITICAL POC
9.3 Nov 18

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access t

CVE-2020-2038 HIGH POC
7.2 Sep 09

An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to exe

CVE-2024-9474 MEDIUM POC
6.9 Nov 18

A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to

CVE-2020-2036 HIGH POC
8.8 Sep 09

A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. Rated high severity

CVE-2012-6601 CRITICAL
10.0 Aug 31

The device-management command-line interface in Palo Alto Networks PAN-OS before 3.1.12, 4.0.x before 4.0.10, and 4.1.x

CVE-2019-1579 HIGH POC
8.1 Jul 19

Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with Glob

CVE-2017-8390 CRITICAL
9.8 Aug 02

The DNS Proxy in Palo Alto Networks PAN-OS before 6.1.18, 7.x before 7.0.16, 7.1.x before 7.1.11, and 8.x before 8.0.3 a

Share

EUVD-2026-42682 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy