CVE-2026-0284
Awaiting Analysis
Awaiting Analysis - Queue
XML Injection in Palo Alto PAN-OS LSVPN
Vulnerability report for CVE-2026-0284, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-09
Last updated on: 2026-07-09
Assigner: Palo Alto Networks, Inc.
Description
Description
An XML injection vulnerability in the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OSยฎ software enables an unauthenticated attacker with network access to inject malicious XML content, potentially leading to information disclosure or corruption of internal LSVPN satellite data.
Panorama, Cloud NGFW, and Prismaยฎ Access are not impacted by this vulnerability.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| palo_alto_networks | pan-os | 10.2.18-h8 |
| palo_alto_networks | pan-os | 11.1.16 |
| palo_alto_networks | pan-os | 11.2.13 |
| palo_alto_networks | pan-os | 12.1.7-h2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |