XSS in Palo Alto Networks Cloud Ngfw
CVE-2025-0133
A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user'…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.435 (98.6th percentile) — read the EPSS interpretation.
Affected products
- Palo Alto Networks Cloud Ngfw — versions All
- Palo Alto Networks Pan-os — versions 11.2.0, 11.1.0, 10.2.0
- Palo Alto Networks Prisma Access — versions All
Weakness classification (CWE)
Public proof-of-concept exploits
References
- psirt@paloaltonetworks.com (vendor-advisory)
Frequently asked questions
- What is CVE-2025-0133?
- CVE-2025-0133 is a vulnerability in Palo Alto Networks Cloud Ngfw, classified under Cross-site Scripting. Published 2025-05-14.
- Is CVE-2025-0133 known to be exploited?
- 17 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.