QSearchQSearch

CVE-2021-3050

8.8 HIGH

An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to execute ar...

Published: 2021-08-11 · Last updated: 2026-06-17

Severity and scoring

CVSS
8.8 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-78

Affected products

VendorProduct
paloaltonetworkspan-os

Description

An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 9.0 version 9.0.10 through PAN-OS 9.0.14; PAN-OS 9.1 version 9.1.4 through PAN-OS 9.1.10; PAN-OS 10.0 version 10.0.7 and earlier PAN-OS 10.0 versions; PAN-OS 10.1 version 10.1.0 through PAN-OS 10.1.1. Prisma Access firewalls and firewalls running PAN-OS 8.1 versions are not impacted by this issue.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-0257 Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker ... (9.1 CRITICAL)
  • CVE-2025-0130 A missing exception check in Palo Alto Networks PAN-OS® software with the web proxy feature enabled allows an unauthenticated attacker to... (7.5 HIGH)
  • CVE-2021-3057 A stack-based buffer overflow vulnerability exists in the Palo Alto Networks GlobalProtect app that enables a man-in-the-middle attacker ... (8.1 HIGH)
  • CVE-2021-3055 An improper restriction of XML external entity (XXE) reference vulnerability in the Palo Alto Networks PAN-OS web interface enables an au... (6.5 MEDIUM)
  • CVE-2021-3054 A time-of-check to time-of-use (TOCTOU) race condition vulnerability in the Palo Alto Networks PAN-OS web interface enables an authentica... (7.2 HIGH)

Same CWE

  • CVE-2026-22313 The device has a webserver that exposes a REST API authenticated with a token on the management network (9.1 CRITICAL)
  • CVE-2026-44932 Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a ... (8.8 HIGH)
  • CVE-2026-12398 A command injection vulnerability was found in galaxy_ng (7.5 HIGH)
  • CVE-2026-5416 Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command in... (8.8 HIGH)
  • CVE-2026-12161 Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user ... (8.8 HIGH)