CVE-2026-0256 PAN-OS Stored Cross-Site Scripting (XSS) Vulnerability

CVE-2026-0256 is a stored cross-site scripting (XSS) vulnerability affecting Palo Alto Networks PAN-OS software. This vulnerability resides in the web interface and enables a malicious, authenticated administrator to inject and store a JavaScript payload. The injected payload can then be executed in the context of other administrators who interact with the affected part of the web interface. This issue impacts PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series). Cloud NGFW and Prisma Access are not affected. Palo Alto Networks is not aware of any malicious exploitation of this issue.

Attack Chain

1. An attacker gains high-privileged administrative access to a vulnerable PAN-OS device.
2. The attacker crafts a malicious JavaScript payload.
3. The attacker authenticates to the PAN-OS web interface.
4. The attacker navigates to a vulnerable section of the web interface that allows storing data.
5. The attacker injects the crafted JavaScript payload into a field that is saved to the PAN-OS configuration.
6. Another administrator authenticates to the PAN-OS web interface.
7. The second administrator navigates to the section of the web interface where the malicious JavaScript payload is stored.
8. The stored JavaScript payload executes within the second administrator’s browser session, potentially leading to session hijacking, credential theft, or other malicious actions.

Impact

Successful exploitation of this stored XSS vulnerability (CVE-2026-0256) allows a malicious administrator to execute arbitrary JavaScript code within the browser of other administrators. This could lead to the compromise of administrative accounts, unauthorized configuration changes, or the exfiltration of sensitive information. While the vulnerability requires high privileges to inject the payload, the impact on other administrators could be significant.

Recommendation

• Upgrade PAN-OS to a fixed version as specified in the Palo Alto Networks advisory to remediate CVE-2026-0256. Refer to the “Solution” section of the advisory for specific version recommendations.
• Customers with a Threat Prevention subscription can enable Threat ID 510020 (from Applications and Threats content version 9100-10044 and later) to block attacks for this vulnerability, as mentioned in the “Workarounds and Mitigations” section.
• Implement the mitigations described in the advisory, such as routing incoming traffic for the MGT port through a DP port, replacing the Certificate for Inbound Traffic Management, decrypting inbound traffic to the management interface, and enabling threat prevention on the inbound traffic to management services.