MEDIUM 4.8

CVE-2026-0266: Stored XSS in Palo Alto Networks PAN-OS Web Interface

A stored cross-site scripting (XSS) vulnerability exists in Palo Alto Networks PAN-OS that allows an authenticated administrator to inject malicious JavaScript into the web interface. The payload persists in the system and executes when other users access the affected interface, potentially compromising their sessions or stealing sensitive data. The vulnerability requires valid administrator credentials to exploit, which significantly limits the attack surface but remains a genuine concern for insider threats or compromised admin accounts.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.8 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-07-14

NVD description (verbatim)

A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface. This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series). Cloud NGFW and Prisma® Access are not affected by this vulnerability.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-0266 is a stored XSS flaw (CWE-79) in PAN-OS web interface handling. An authenticated attacker with administrator privileges can craft and submit a JavaScript payload through the web UI that bypasses input sanitization and validation. The payload is stored server-side and executes in the browser context of subsequent users accessing the same interface resource. The vulnerability has a CVSS 3.1 score of 4.8 (Medium severity) with network accessibility, low complexity, and high privilege requirement, resulting in limited confidentiality and integrity impact with no availability impact.

Business impact

While the MEDIUM severity score reflects the high privilege requirement, this vulnerability poses meaningful risk in environments where administrator accounts face elevated compromise risk. A malicious or compromised admin could redirect other administrators, exfiltrate session tokens or configuration data, or perform unauthorized changes that appear to originate from legitimate users. Organizations managing multiple administrators or operating in high-turnover environments should treat this as a priority, as lateral movement through administrator sessions can bypass perimeter defenses.

Affected systems

PAN-OS deployments on PA-Series and VM-Series firewalls are vulnerable, as are both virtual and M-Series Panorama instances. Cloud NGFW and Prisma Access products are explicitly not affected. Any organization running traditional PAN-OS firewalls or Panorama management appliances should verify their software versions against Palo Alto Networks' advisory to determine exposure.

Exploitability

Exploitation requires valid administrator credentials and user interaction—specifically, another user must access the web interface after the payload is stored. The attack is not remotely exploitable without prior authentication compromise. However, once successfully deployed, the payload executes automatically without further interaction from the attacker, making it a persistent threat within the administrator community. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, suggesting limited public weaponization to date.

Remediation

Patch PAN-OS to a version that addresses CVE-2026-0266; verify the specific fixed version against Palo Alto Networks' official security advisory. Until patching is complete, restrict web interface access to trusted networks, enforce multi-factor authentication for administrator accounts, and monitor admin activity logs for suspicious payloads or unexpected JavaScript injection attempts. Consider temporarily limiting the number of users with administrative privileges.

Patch guidance

Contact Palo Alto Networks or consult their security advisory directly to obtain the patched PAN-OS version(s) for your specific hardware or virtual deployment model. Patches should be staged and tested in a non-production environment first, as PAN-OS upgrades can impact firewall availability. Verify compatibility with your existing configuration backups and any custom scripts before deployment to production.

Detection guidance

Audit PAN-OS web interface logs and configuration change histories for unusual JavaScript, HTML, or script-tag injection patterns in administrator-submitted data. Monitor for unexpected redirects or script execution in browser console output when accessing the PAN-OS web UI. Implement Web Application Firewall (WAF) rules on any reverse proxy or load balancer in front of PAN-OS to detect and block common XSS payloads at ingress. Check backups and configuration exports for embedded script tags that may indicate prior compromise.

Why prioritize this

Although rated MEDIUM severity, the stored nature of this XSS and its presence in administrative interfaces warrants prompt attention. Administrator-focused vulnerabilities have outsized impact because they can be leveraged for lateral movement, privilege escalation, and persistent access. Organizations should prioritize patching within 30–60 days, sooner if they operate in high-security or compliance-sensitive environments where admin account integrity is critical.

Risk score, explained

CVSS 3.1 score of 4.8 reflects the high privilege barrier (administrator-only), network accessibility, and user interaction requirement balanced against the vulnerability's ability to compromise confidentiality and integrity. The score is appropriately conservative for a stored XSS with limited reach; however, the impact on administrator integrity elevates business risk beyond the numerical score.

Frequently asked questions

Do I need to worry about this if my PAN-OS is not exposed to untrusted administrators?

If all your administrators are fully trusted and operate in a tightly controlled environment, the immediate risk is lower. However, insider threats, contractor access, and account compromise remain realistic scenarios. Consider this in your risk model alongside your admin access controls and identity verification practices.

Is there a workaround if I cannot patch immediately?

Temporary mitigations include restricting web interface access via network policy to a bastion host or VPN, implementing strict IP whitelisting, and enforcing multi-factor authentication. These do not eliminate the vulnerability but reduce the likelihood of exploitation. Patching should still be prioritized.

How do I check if this vulnerability has been exploited in my environment?

Review web interface access logs and audit trails for unusual administrator activities around the published date (June 10, 2026) and modification date (July 14, 2026). Look for administrator accounts creating or modifying rules, policies, or interface settings outside normal business hours or from unusual locations.

Why are Cloud NGFW and Prisma Access not affected?

Palo Alto Networks likely implemented different code paths or sanitization mechanisms for cloud-delivered products. Contact Palo Alto Networks support if you use hybrid deployments to confirm which of your products require patching.

This analysis is for informational purposes and based on publicly available information as of the published and modified dates. Threat actors and attack patterns evolve; verify all findings against the latest Palo Alto Networks security advisory and your own environment's specifics. SEC.co makes no warranty regarding the accuracy of external vendor timelines or patch availability. Always test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).