CVE-2026-0256

Vulnerability

Overview A stored cross-site scripting (XSS) vulnerability exists in the Palo Alto Networks PAN-OS web interface. An authenticated administrator with administrative privileges can store a malicious JavaScript payload via the web interface, which will be executed when the affected page is loaded by other users [1]. The root cause is insufficient sanitization of user-supplied input stored in the interface.

Attack

Vector Exploitation requires an authenticated administrator account on a vulnerable PAN-OS instance. No special configuration is needed; the attacker simply injects the payload through the web interface. The vulnerability affects PAN-OS running on PA-Series and VM-Series firewalls, as well as Panorama (virtual and M-Series). Cloud NGFW and Prisma Access are not impacted [1].

Impact

A successful attack allows the malicious administrator to execute arbitrary JavaScript in the context of other administrators' sessions. This could lead to session hijacking, data exfiltration, or further compromise of the firewall management interface. No malicious exploitation has been reported as of the advisory [1].

Mitigations

Palo Alto Networks has released Threat Prevention content update (Threat ID 510020) starting from Applications and Threats version 9100-10044 to detect and block attacks. Customers with a Threat Prevention subscription should enable this ID. There are no workarounds other than applying the threat prevention update or ensuring access to the web interface is restricted to trusted administrators [1].