PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface
MonitorCVSS 6.9CVE-2026-0256May 13, 2026
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
A stored cross-site scripting vulnerability in Palo Alto Networks PAN-OS allows an authenticated administrator to inject malicious JavaScript into the web interface. When executed, the payload runs in the browser of other administrators accessing the same configuration, potentially allowing credential theft, unauthorized configuration changes, or further compromise of the firewall. The vulnerability affects PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances. Cloud NGFW and Prisma Access are not vulnerable.
What this means
What could happen
A malicious administrator with web interface access could inject JavaScript code into the firewall's configuration that executes when other administrators log in, allowing the attacker to steal credentials or modify firewall settings without further authorization.
Who's at risk
This vulnerability affects network security teams managing Palo Alto Networks PA-Series firewalls (physical or virtual), VM-Series firewalls, and Panorama appliances. Cloud NGFW and Prisma Access users are not impacted. Any organization using these devices for network protection should assess whether administrator accounts could be compromised.
How it could be exploited
An attacker with valid administrator credentials accesses the PAN-OS web interface and stores a malicious JavaScript payload in a configuration field. When another administrator logs in and views the affected configuration page, the JavaScript executes in their browser session, running with the privileges of the authenticated user.
Prerequisites
- Valid administrator credentials for the PAN-OS web interface
- Access to the management interface (typically port 443)
- The target firewall must be PAN-OS on PA-Series, VM-Series, or Panorama (Cloud NGFW and Prisma Access are not affected)
Requires valid administrator credentials (insider threat or compromised admin account)Affects administrative access and control planeLow technical complexity to exploit if credentials are availableNo patch currently available for all versions (some fixes have ETA dates)
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
PAN-OSBelow 12.1.4-h512.1.4-h5+
PAN-OSBelow 12.1.712.1.7 (ETA: 05/28)+
Prisma AccessBelow 11.2.4-h1711.2.4-h17 (ETA: 05/28)+
Prisma AccessBelow 11.2.7-h1311.2.7-h13+
Prisma AccessBelow 11.2.10-h611.2.10-h6+
Prisma AccessBelow 11.2.1211.2.12 (ETA: 05/28)+
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDEnable Threat ID 510020 (requires Applications and Threats content version 9100-10044 or later) and enable threat prevention on management interface inbound traffic as a temporary mitigation
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
PAN-OS
HOTFIXUpdate PAN-OS to version 12.1.4-h5 or later (for 12.1 branch) or 12.1.7 or later (for 12.1 branch released after 05/28/2026), or equivalent patched versions for other supported releases
Prisma Access
HOTFIXUpdate Prisma Access to version 11.2.4-h17 or later, 11.2.7-h13 or later, 11.2.10-h6 or later, or 11.2.12 or later (depending on your current version)
Long-term hardening
0/2HARDENINGRestrict administrator access to the management interface to trusted IP addresses or networks via firewall rules
HARDENINGAudit current administrator accounts and disable or reset credentials for any unused or suspicious accounts
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a3cd9c36-b983-4955-85e6-92a33400c099Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.