CVE-2026-0286
Awaiting Analysis
Awaiting Analysis - Queue
Command Injection in Palo Alto PAN-OS
Vulnerability report for CVE-2026-0286, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-09
Last updated on: 2026-07-09
Assigner: Palo Alto Networks, Inc.
Description
Description
A command injection vulnerability in the management plane of Palo Alto Networks PAN-OSยฎ software enables an authenticated administrator to execute arbitrary OS commands as root.
The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators.
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prisma Accessยฎ are not impacted by this vulnerability.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| palo_alto_networks | pan_os | 10.2 |
| palo_alto_networks | pan_os | 11.1 |
| palo_alto_networks | pan_os | From 11.2.13 (inc) |
| palo_alto_networks | pan_os | From 12.1.7-h2 (inc) to 12.1.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |