XML Injection Vulnerability in Palo Alto Networks PAN-OS Large Scale VPN Functionality
CVE-2026-0284
4.7MEDIUM
What is CVE-2026-0284?
An XML injection vulnerability exists within the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OS software. This vulnerability allows unauthenticated attackers with access to the network to inject malicious XML content. If exploited, it may lead to unauthorized information disclosure or corruption of critical internal data pertaining to LSVPN satellites. Notably, this issue does not impact Panorama, Cloud NGFW, or Prisma Access.
Affected Version(s)
PAN-OS 12.1.0 < 12.1.4-h8
PAN-OS 11.2.0 < 11.2.4-h20
PAN-OS 11.1.0 < 11.1.4-h35
References
CVSS V4
Score:
4.7
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved
Credit
our internal security research teams