CVE-2026-0284 PUBLISHED

PAN-OS: XML Injection Vulnerability in Large Scale VPN (LSVPN)

Assigner: palo_alto
Reserved: 03.11.2025 Published: 09.07.2026 Updated: 09.07.2026

An XML injection vulnerability in the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to inject malicious XML content, potentially leading to information disclosure or corruption of internal LSVPN satellite data.

Panorama, Cloud NGFW, and Prisma® Access are not impacted by this vulnerability.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:L/E:U/AU:N/R:A/V:D/RE:M/U:Amber
CVSS Score: 4.7

Product Status

Vendor Palo Alto Networks
Product Cloud NGFW
Versions Default: unaffected
  • Version All is unaffected
Vendor Palo Alto Networks
Product PAN-OS
Versions Default: unaffected
  • affected from 12.1.0 to 12.1.4-h8 (excl.)
  • affected from 11.2.0 to 11.2.4-h20 (excl.)
  • affected from 11.1.0 to 11.1.4-h35 (excl.)
  • affected from 10.2.0 to 10.2.7-h36 (excl.)
Vendor Palo Alto Networks
Product Prisma Access
Versions Default: unaffected
  • Version All is unaffected

Exploits

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Credits

  • our internal security research teams finder

References

Problem Types

  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE

Impacts

  • CAPEC-250 XML Injection