XSS in Palo Alto Networks PAN-OS UI Captures Authenticated Admin Payloads
CVE-2026-0266 Published on June 10, 2026

PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface
A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface. This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series). Cloud NGFW and Prisma® Access are not affected by this vulnerability.

Vendor Advisory NVD

Timeline

Initial publication.

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2026-0266 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2026-0266

Want to know whenever a new CVE is published for Palo Alto Networks PAN-OS? stack.watch will email you.

 

Affected Versions

Palo Alto Networks Cloud NGFW: Palo Alto Networks PAN-OS: Palo Alto Networks Prisma Access:

Exploit Probability

EPSS
0.21%
Percentile
11.50%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.