CVE-2026-0236 HIGH

CVE-2026-0236: Prisma Browser: Code Injection Enables Security Controls Bypass

Vendor Palo Alto Networks
Product Prisma Browser
Weakness CWE-94 · Code injection
Published May 13, 2026
Last update May 15, 2026

CVSS base score

7.3/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M/U:Amber

What the vulnerability does

01Description

A code injection vulnerability in Palo Alto Networks Prisma® Browser on macOS fails to properly restrict access to its AppleScript interface allowing a locally authenticated non-admin user to leverage this exposed Apple Event handler to send unauthorized commands to the browser.

Key dates

02Disclosure timeline

May 13, 2026 CVE published
May 15, 2026 Record updated

Related vulnerabilities

04Related CVE