XSS in Palo Alto Networks PAN-OS UI Captures Authenticated Admin Payloads
CVE-2026-0266 Published on June 10, 2026

PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface
A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface. This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series). Cloud NGFW and Prisma® Access are not affected by this vulnerability.

Vendor Advisory NVD

Timeline

2026-06-10

Initial publication.

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2026-0266 has been classified to as a XSS vulnerability or weakness.

Products Associated with CVE-2026-0266

Want to know whenever a new CVE is published for Palo Alto Networks PAN-OS? stack.watch will email you.

Palo Alto Networks PAN-OS

Affected Versions

Palo Alto Networks Cloud NGFW:

Version All is unaffected.

Palo Alto Networks PAN-OS:

Version 12.1.0 and below 12.1.5 is affected.
Version 11.2.0 and below 11.2.11 is affected.
Version 11.1.0 and below 11.1.14 is affected.
Version 10.2.0 is affected.

Palo Alto Networks Prisma Access: