A stored cross‑site scripting flaw exists in Palo Alto Networks PAN‑OS software that lets an authenticated administrator store a JavaScript payload through the web interface. The payload is rendered whenever any administrator accesses the affected page, which can result in the attacker executing arbitrary code in a privileged user’s browser, stealing session tokens or injecting additional malicious content. The weakness is a classic input validation failure (CWE‑79).

The vulnerability affects PAN‑OS versions 10.2.0 through 10.2.18, 11.1.0 through 11.1.13, 11.2.0 through 11.2.10, and 12.1.2 through 12.1.4 on PA‑Series and VM‑Series firewalls as well as Panorama (virtual and M‑Series). Cloud NGFW and Prisma Access are not impacted. Supported fixed versions are 12.1.5 or later, 11.2.11 or later, 11.1.14 or later, and for older 10.2.x releases upgrade to 11.1.14, 11.2.11, 12.1.5 or any newer fixed release.

The official CVSS score of 0.4 indicates a low severity assessment, and no EPSS value is available, implying an uncertain exploitation probability. Nonetheless, the attack requires an authenticated administrator and provides client‑side code execution, which could compromise other admin sessions or allow credential theft. The vulnerability is not listed in the CISA KEV catalog, and no workaround exists. Organizations should treat it as a moderate risk to privileged accounts and proceed with patching. The attack vector is likely through the web interface by any authenticated privileged user.