PAN-OS - Reflected Cross-Site Scripting

A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link.The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN.

• https://security.paloaltonetworks.com/CVE-2025-0133
• https://hackerone.com/reports/3096384