XSS in PAN-OS User-ID Portal & GlobalProtect
CVE-2026-0279 Published on July 9, 2026
PAN-OS: Multiple Cross-Site Scripting (XSS) Vulnerabilities
Multiple cross site scripting vulnerabilities in the User-ID Authentication Portal (aka Captive Portal) service, GlobalProtect gateway/portal features and Clientless VPN of Palo Alto Networks PAN-OS® software enables a malicious unauthenticated user to store or execute malicious JavaScript payload.
The security risk posed by this issue is minimized when the management interface and access to the User-ID Authentication Portal is restricted to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW is not affected by this vulnerability.
Timeline
Updated the Unaffected version for Prisma Access.
Initial publication
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-0279 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-0279
stack.watch emails you whenever new vulnerabilities are published in Palo Alto Networks PAN-OS or Palo Alto Networks Prisma Access. Just hit a watch button to start following.
Affected Versions
Palo Alto Networks Cloud NGFW:- Version All is unaffected.
- Version 12.1.0 and below 12.1.8 is affected.
- Version 11.2.0 and below 11.2.13 is affected.
- Version 11.1.0 and below 11.1.16 is affected.
- Version 10.2.0 and below 10.2.18-h8 is affected.
- Version 12.1.0 and below 12.1.8 is affected.
- Version 11.2.0 is affected.
- Version 10.2.0 is affected.