CVE-2026-0261

EPSS 0.08%
Veröffentlicht 13.05.2026 17:59:31
Zuletzt bearbeitet 14.05.2026 16:21:23
Quelle psirt@paloaltonetworks.com
CVE-Watchlists
Login
Unerledigt
Login

PAN-OS: Authenticated Admin Command Injection Vulnerability

Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS® software enable an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI or Web UI.



The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators and by restricting access to the management web interface to only trusted internal IP addresses according to our recommended  best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .



This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).



Cloud NGFW and Prisma Access® are not impacted by these vulnerabilities.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

CNA 3 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerPalo Alto Networks

≫

Produkt Cloud NGFW

Default Statusunaffected

Version All

Status unaffected

HerstellerPalo Alto Networks

≫

Produkt PAN-OS

Default Statusunaffected

Version 12.1.0

Version < 12.1.7, 12.1.4-h5

Status affected

Version 11.2.0

Version < 11.2.12, 11.2.10-h6, 11.2.7-h13, 11.2.4-h17

Status affected

Version 11.1.0

Version < 11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, 11.1.4-h33

Status affected

Version 10.2.0

Version < 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, 10.2.7-h34

Status affected

HerstellerPalo Alto Networks

≫

Produkt Prisma Access

Default Statusunaffected

Version All

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.238

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
psirt@paloaltonetworks.com	6.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://security.paloaltonetworks.com/CVE-2026-0261

https://nvd.nist.gov/vuln/detail/CVE-2026-0261

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-0261

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-0261

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-0261