Palo Alto PAN-OS Stored Cross-Site Scripting (XSS) Vulnerability CVE-2026-0266 (Low) -DC-Jul2026-912

Listen to this Post

CVE-2026-0266 describes a stored cross-site scripting (XSS) vulnerability affecting the web interface of Palo Alto Networks PAN-OS software. The flaw resides in improper neutralization of user‑supplied input during web page generation (CWE‑79). An authenticated administrator with high privileges can inject and permanently store a malicious JavaScript payload through the PAN‑OS management interface. Because the application does not adequately sanitize or encode the stored data before rendering it in subsequent web sessions, any other administrator who later accesses the affected page will have the attacker’s script executed in their browser context.
The attack vector is network‑based, requires no special configuration, and demands that the victim (another admin) interacts with the compromised interface element passively (e.g., by viewing a dashboard or log entry). The stored payload can then perform actions on behalf of the victim admin, such as exfiltrating session cookies, modifying firewall rules, or implanting further backdoors—all within the trust boundary of the management session.
Affected products include PA‑Series and VM‑Series firewalls running PAN‑OS versions below 11.1.14, below 11.2.11, or below 12.1.5, as well as Panorama (virtual and M‑Series) on the same version branches. Cloud NGFW and Prisma Access are explicitly not vulnerable. The CVSS v4.0 base score is 1.1 (Low), reflecting the requirement for authenticated high‑privilege access and passive user interaction. However, the risk escalates significantly if the management interface is exposed to the internet, as a compromised admin account could then be used to poison the web interface and pivot to other privileged users.
Palo Alto Networks released fixed versions on June 10, 2026, the same day the CVE was published. No active exploits have been reported in the wild, and the vendor rates the urgency as “Moderate” due to the low severity but recommends restricting management access to trusted jump hosts as a best‑practice mitigation.

DailyCVE Form:

Platform: PAN‑OS firewalls
Version: <11.1.14/11.2.11/12.1.5
Vulnerability: Stored XSS (CWE‑79)
Severity: Low (CVSS 1.1)
date: 2026‑06‑10

Prediction: Already patched (2026‑06‑10)

What Undercode Say (Analytics):

Check PAN-OS version via CLI
show system info | match "version"
Query the management interface for vulnerable endpoints (authenticated only)
curl -k -X GET "https://<firewall>/api/?type=op&cmd=<show><system><info></info></system></show>" -H "Cookie: PHPSESSID=<valid_session>"
Simulate stored XSS injection (example payload)
<script>alert('CVE-2026-0266');</script>
Monitor for anomalous admin sessions
tail -f /var/log/pan/audit.log | grep -i "xss|inject"

Exploit:

No public exploit code exists. A malicious authenticated admin can manually inject JavaScript into any input field that is stored and later rendered (e.g., device name, description fields, or custom URL categories). The payload executes when another admin views the compromised page.

Protection:

  • Upgrade to PAN‑OS 11.1.14, 11.2.11, 12.1.5, or later.
  • Restrict management interface access to trusted IPs/jump hosts only.
  • Enforce multi‑factor authentication (MFA) for all administrative accounts.
  • Regularly audit admin activity logs for unusual input patterns.

Impact:

  • Integrity impact: stored scripts can modify firewall settings or exfiltrate data.
  • No confidentiality or availability impact on the appliance itself.
  • Risk is limited to environments where admin accounts are compromised or malicious insiders exist.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top