CVE-2026-0256 PUBLISHED

PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface

Assigner: palo_alto
Reserved: 03.11.2025 Published: 13.05.2026 Updated: 13.05.2026

A stored cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface.

This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).

Cloud NGFW and Prisma® Access are not impacted by this vulnerability.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber
CVSS Score: 4.4

Product Status

Vendor Palo Alto Networks
Product Cloud NGFW
Versions Default: unaffected
  • Version All is unaffected
Vendor Palo Alto Networks
Product PAN-OS
Versions Default: unaffected
  • affected from 12.1.0 to 12.1.7 (excl.)
  • affected from 11.2.0 to 11.2.12 (excl.)
  • affected from 11.1.0 to 11.1.15 (excl.)
  • affected from 10.2.0 to 10.2.18-h6 (excl.)
Vendor Palo Alto Networks
Product Prisma Access
Versions Default: unaffected
  • Version All is unaffected

Exploits

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Credits

  • Palo Alto Networks thanks our internal security research teams for discovering and reporting this issue. finder

References

Problem Types

  • CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE

Impacts

  • CAPEC-592 Stored XSS