CVE-2026-0266
Awaiting Analysis Awaiting Analysis - Queue

Stored XSS in Palo Alto PAN-OS

Vulnerability report for CVE-2026-0266, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: Palo Alto Networks, Inc.

Description

A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OSยฎ software enables a malicious authenticated administrator to store a JavaScript payload using the web interface. This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series). Cloud NGFW and Prismaยฎ Access are not affected by this vulnerability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
palo_alto_networks pan-os *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a cross-site scripting (XSS) issue in Palo Alto Networks PAN-OSยฎ software. It allows a malicious authenticated administrator to store a JavaScript payload via the web interface.

The vulnerability affects PAN-OS software running on PA-Series and VM-Series firewalls, as well as Panorama (virtual and M-Series). Cloud NGFW and Prismaยฎ Access are not affected.

Impact Analysis

An attacker who is an authenticated administrator could exploit this vulnerability to inject and store malicious JavaScript code in the web interface. This could potentially lead to unauthorized actions or compromise of the management interface.

Detection Guidance

This vulnerability is a stored Cross-Site Scripting (XSS) issue that requires an authenticated administrator to inject and store a JavaScript payload via the Palo Alto Networks PAN-OS web interface.

Detection typically involves verifying the PAN-OS software version to determine if it is within the affected versions: all versions of PAN-OS 10.2, PAN-OS 11.1 versions below 11.1.14, PAN-OS 11.2 versions below 11.2.11, and PAN-OS 12.1 versions below 12.1.5.

Since the vulnerability is related to stored JavaScript payloads in the web interface, manual inspection or automated scanning of the web interface for suspicious scripts stored by administrators could help detect exploitation attempts.

No specific detection commands or automated tools are provided in the available resources.

As a practical step, you can check the PAN-OS version using the CLI command:

  • show system info

If the version is affected, consider upgrading to a fixed version as recommended.

Compliance Impact

The provided information does not specify how the CVE-2026-0266 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate the risk of this stored Cross-Site Scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software, you should upgrade to the latest fixed versions of PAN-OS.

  • For PAN-OS 10.2 users, upgrade to 11.1.14, 11.2.11, or 12.1.5.
  • For PAN-OS 11.1 users, upgrade to 11.1.14 or later.
  • For PAN-OS 11.2 users, upgrade to 11.2.11 or later.
  • For PAN-OS 12.1 users, upgrade to 12.1.5 or later.

No workarounds are available, but restricting access to the management interface via a jump box can reduce exposure, especially if the management interface is accessible from external networks.

Chat Assistant

Ask questions about this CVE
Hi! Iโ€™m here to help you understand CVE-2026-0266. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart