SB2026071034 - Multiple vulnerabilities in Palo Alto PAN-OS
Published: July 10, 2026 Updated: July 10, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2026-0288)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.
The vulnerability exists due to out-of-bounds write in the User-ID Terminal Server Agent (TSA) component when handling network traffic. A remote attacker can send specially crafted network traffic to cause a denial of service or execute arbitrary code.
This issue only affects devices with at least one Terminal Server Agent entry configured. Panorama is not impacted.
2) OS Command Injection (CVE-ID: CVE-2026-0286)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary OS commands as root.
The vulnerability exists due to improper neutralization of special elements used in an OS command in the management plane CLI when processing crafted CLI input. A remote privileged user can send crafted CLI commands to execute arbitrary OS commands as root.
This issue affects the management plane and does not require special configuration to be exposed.
3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-0285)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to make unauthorized requests to internal services.
The vulnerability exists due to server-side request forgery in the management web interface when handling crafted requests. A remote privileged user can send a specially crafted request to make unauthorized requests to internal services.
Exploitation requires network access to the management web interface.
CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to disclose sensitive information or corrupt internal LSVPN satellite data.
The vulnerability exists due to improper neutralization of special elements in output used by a downstream component in the Large Scale VPN (LSVPN) functionality when processing network-supplied XML content. A remote attacker can inject malicious XML content to disclose sensitive information or corrupt internal LSVPN satellite data.
Only firewalls using Large Scale VPN (LSVPN) with configured satellites are vulnerable. Panorama, Cloud NGFW, and Prisma Access are not impacted.
5) Missing Authentication for Critical Function (CVE-ID: CVE-2026-0283)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass security restrictions and establish an unauthorized site-to-site VPN connection.
The vulnerability exists due to missing authentication for a critical function in the large scale vpn (lsvpn) functionality when handling network access to configured satellite connections. A remote attacker can send crafted connection attempts to bypass security restrictions and establish an unauthorized site-to-site VPN connection.
Only firewalls using large scale vpn (lsvpn) with configured satellites are vulnerable.
6) Input validation error (CVE-ID: CVE-2026-0282)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to delete files from a temporary directory.
The vulnerability exists due to improper input validation in the management web interface when handling network requests. A remote attacker can send a specially crafted request to delete files from a temporary directory.
This issue is exposed through the management web interface.
7) Use of cache containing sensitive information (CVE-ID: CVE-2026-0281)
CWE-ID: CWE-524 - Use of Cache Containing Sensitive Information
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose web session tokens.
The vulnerability exists due to use of cache containing sensitive information in the management web interface when handling a malicious link clicked by a legitimate user. A remote attacker can provide a malicious link to obtain web session tokens.
User interaction is required, and a legitimate user must first click an attacker-supplied malicious link.
8) Incorrect Calculation of Buffer Size (CVE-ID: CVE-2026-0280)
CWE-ID: CWE-131 - Incorrect Calculation of Buffer Size
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass firewall security policy enforcement.
The vulnerability exists due to incorrect calculation of buffer size in the dataplane when processing IPv6 packets. A remote attacker can send crafted network traffic to bypass firewall security policy enforcement.
Only firewalls with IPv6 enabled on one or more interfaces are vulnerable. Cloud NGFW and Panorama are not impacted by this vulnerability.
9) Cross-site scripting (CVE-ID: CVE-2026-0279)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute malicious JavaScript payload.
The vulnerability exists due to cross-site scripting in the User-ID Authentication Portal, GlobalProtect gateway/portal features, and Clientless VPN when handling web content. A remote attacker can store or execute a malicious JavaScript payload to execute malicious JavaScript payload.
User interaction is required for exploitation.
10) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-0287)
CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper check for unusual or exceptional conditions in network traffic processing on the dataplane interface when processing specially crafted network traffic sent to or through a dataplane interface. A remote attacker can send specially crafted network traffic to cause a denial of service.
Repeated attempts to trigger the issue result in the firewall entering maintenance mode. Panorama is not impacted.
Remediation
Install update from vendor's website.
References
- https://security.paloaltonetworks.com/CVE-2026-0288
- https://security.paloaltonetworks.com/CVE-2026-0286
- https://security.paloaltonetworks.com/CVE-2026-0285
- https://security.paloaltonetworks.com/CVE-2026-0284
- https://security.paloaltonetworks.com/CVE-2026-0283
- https://security.paloaltonetworks.com/CVE-2026-0282
- https://security.paloaltonetworks.com/CVE-2026-0281
- https://security.paloaltonetworks.com/CVE-2026-0280
- https://security.paloaltonetworks.com/CVE-2026-0279
- https://security.paloaltonetworks.com/CVE-2026-0287