PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface
CVE-2026-0266

0.4LOW

Key Information:

Vendor: Palo Alto Networks
Status: Cloud Ngfw; Pan-os; Prisma Access
Vendor: CVE Published:; 10 June 2026

🔔 Create Palo Alto Networks Vulnerability Alert

Badges

👾 Exploit Exists

What is CVE-2026-0266?

A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface.

This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).

Cloud NGFW and Prisma® Access are not affected by this vulnerability.

Affected Version(s)

PAN-OS 12.1.0 < 12.1.5

PAN-OS 11.2.0 < 11.2.11

PAN-OS 11.1.0 < 11.1.14

References

https://security.paloaltonetworks.com/CVE-2026-0266

vendor-advisory

CVSS V4

Score:

0.4

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Jun 10, 2026
Vulnerability published
Jun 10, 2026
Vulnerability Reserved
Nov 3, 2025

Credit

Palo Alto Networks thanks Rajnish Gupta (internal reporter), James Otten (internal reporter), and Jasper Westerman of REQON B.V. for discovering and reporting this issue.

CVE-2026-0266 Data

JSON