CVE-2026-0300
ENISA EUVD: EUVD-2026-27879 ↗
Exploited in the Wild
✓ Confirmed 0-Day
Triaged: May 7, 2026
7 articles
Published: 2026-05-06
EPSS Score
Source: FIRST.org · 2026-05-23
4.35%
probability
This CVE has a 4.35% probability
of being exploited in the next 30 days.
0%
Top 89.1th percentile of all CVEs
100%
CVSS v4.0 NEW
Source: VulnerabilityLookup (CIRCL)9.3
CRITICAL
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Vulnerable System Confidentiality Impact
High
Vulnerable System Integrity Impact
High
Vulnerable System Availability Impact
High
Subsequent System Confidentiality Impact
Low
Subsequent System Integrity Impact
Low
Subsequent System Availability Impact
None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/AU:Y/R:U/V:C/RE:M/U:Red
CVSS v3.1
Source: NVD9.8
CRITICAL
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
VulnerabilityLookup (CNA)A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses.
Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.
Affected Products
Palo Alto Networks
Cloud NGFW
All
Palo Alto Networks
PAN-OS
12.1.0
11.2.0
11.1.0
10.2.0
Palo Alto Networks
Prisma Access
All
Exploits & PoC
15
2026-05-07
qassam-315/PAN-OS-User-ID-Buffer-Overflow-PoC
A research-grade Proof-of-Concept (PoC) for CVE-2026-0300, targeting the Buffer Overflow vulnerability in Palo Alto Networks PAN-OS User-ID™ Authentic
3
2026-05-06
mr-r3b00t/CVE-2026-0300
a honeypot for CVE-2026-0300
1
2026-05-06
bannned-bit/CVE-2026-0300-PANOS
Security Research and Proof-of-Concept (PoC) for CVE-2026-0300 : Unauthenticated Remote Code Execution (RCE) in Palo Alto Networks PAN-OS User-ID Port
1
2026-05-06
0xBlackash/CVE-2026-0300
CVE-2026-0300
0
2026-05-06
TailwindRG/cve-2026-0300-audit
Read-only audit tooling for CVE-2026-0300 (PAN-OS User-ID Authentication Portal exposure)
0
2026-05-06
shizuku198411/CVE-2026-0300
PAN-OS CVE-2026-0300 Non-Destructive Exposure Survey Tool
0
2026-05-06
lu4m575/CVE-2026-0300
CVE-2026-0300 PAN-OS 12.1, 11.2, 11.1, 10.2
0
2026-05-21
ridhinva/CVE-2026-0300-PANOS-RCE
PAN-OS User-ID Captive Portal Buffer Overflow RCE Scanner & Checker
0
2026-05-22
9 repos — triés par ⭐
Rechercher sur GitHub ↗
https://security.paloaltonetworks.com/CVE-2026-0300
vendor-advisory
Signal Intelligence
Confidence
85%
EPSS
4.35%
CVSS v4.0
9.3
CVSS v3.1
9.8
Mentions
7
Last Seen
May 19, 2026
CNA Information
CNA Assigner
palo_alto
CNA Title
PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal
Analyst Note
CVE-2026-0300 is explicitly named as a zero-day being exploited in the wild across multiple authoritative sources (CyberScoop, TheHackerNews, BleepingComputer, SecurityWeek). CISA KEV catalog addition confirms active exploitation. Palo Alto Networks' disclosure of a zero-day being patched aligns with active attacks.
Triage Info
Decided atMay 07, 2026
Published DateMay 06, 2026