{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0259", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "state": "PUBLISHED", "assignerShortName": "palo_alto", "dateReserved": "2025-11-03T20:44:19.922Z", "datePublished": "2026-05-13T18:05:45.862Z", "dateUpdated": "2026-05-13T18:57:18.638Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2026-05-13T18:05:45.862Z"}, "title": "WildFire WF-500 and WF-500-B: Arbitrary File Read and Delete Vulnerability in WildFire Appliance (WF-500, WF-500-B)", "datePublic": "2026-05-13T16:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-597", "descriptions": [{"lang": "en", "value": "CAPEC-597 Absolute Path Traversal"}]}], "affected": [{"vendor": "Palo Alto Networks", "product": "WildFire WF-500 and WF-500-B", "versions": [{"status": "affected", "version": "12.1.0", "lessThan": "12.1.7, 12.1.4-h5", "changes": [{"at": "12.1.7", "status": "unaffected"}, {"at": "12.1.4-h5", "status": "unaffected"}], "versionType": "custom"}, {"status": "affected", "version": "11.2.0", "lessThan": "11.2.11,11.2.7-h7", "changes": [{"at": "11.2.12", "status": "unaffected"}, {"at": "11.2.10-h6", "status": "unaffected"}, {"at": "11.2.7-h13", "status": "unaffected"}, {"at": "11.2.4-h17", "status": "unaffected"}], "versionType": "custom"}, {"status": "affected", "version": "11.1.0", "lessThan": "11.1.13,11.1.10-h8", "changes": [{"at": "11.1.15", "status": "unaffected"}, {"at": "11.1.13-h5", "status": "unaffected"}, {"at": "11.1.10-h25", "status": "unaffected"}, {"at": "11.1.7-h6", "status": "unaffected"}, {"at": "11.1.6-h32", "status": "unaffected"}, {"at": "11.1.4-h33", "status": "unaffected"}], "versionType": "custom"}, {"status": "affected", "version": "10.2.0", "lessThan": "10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, 10.2.7-h34", "changes": [{"at": "10.2.18-h6", "status": "unaffected"}, {"at": "10.2.16-h7", "status": "unaffected"}, {"at": "10.2.13-h21", "status": "unaffected"}, {"at": "10.2.10-h36", "status": "unaffected"}, {"at": "10.2.7-h34", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:*", "versionStartIncluding": "12.1.0", "versionEndExcluding": "12.1.7_12.1.4-h5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.2.0", "versionEndExcluding": "11.2.11_11.2.7-h7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.1.0", "versionEndExcluding": "11.1.13_11.1.10-h8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.2.0", "versionEndExcluding": "10.2.18-h6_10.2.16-h7_10.2.13-h21_10.2.10-h36_10.2.7-h34"}]}]}], "descriptions": [{"lang": "en", "value": "An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire\u00ae WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode.\n\n\n\nThe WildFire Appliance (WF-500, WF-500-B) software update is now available to customers that use the WildFire Appliance (WF-500, WF-500-B) for on-premise sandboxing.\n\n\n\nPlease note that customers using the WildFire Public cloud service are NOT impacted by this vulnerability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire\u00ae WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode.</p><p>The WildFire Appliance (WF-500, WF-500-B) software update is now available to customers that use the WildFire Appliance (WF-500, WF-500-B) for on-premise sandboxing.</p><p>Please note that customers using the WildFire Public cloud service are NOT impacted by this vulnerability.<br></p>"}]}], "references": [{"url": "https://security.paloaltonetworks.com/CVE-2026-0259", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "USER", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:C/RE:M/U:Amber"}}], "configurations": [{"lang": "eng", "value": "No special configuration is required to be affected by this issue.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "No special configuration is required to be affected by this issue."}]}], "workarounds": [{"lang": "eng", "value": "For airgapped deployments, we strongly recommend that you secure WildFire 500 appliances by restricting access to only trusted internal IP addresses.\n\nCustomers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510010 (Applications and Threats content version 9100-10044 and later).\n\n\nPlease note that this Threat ID requires SSL Decryption.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>For airgapped deployments, we strongly recommend that you secure WildFire 500 appliances by restricting access to only trusted internal IP addresses.</p><p>Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510010 (Applications and Threats content version 9100-10044 and later). <br></p><b></b><p>Please note that this Threat ID requires SSL Decryption.</p>"}]}], "solutions": [{"lang": "eng", "value": "VERSION MINOR VERSION RANGE SUGGESTED SOLUTION\nWildFire WF-500 and WF-500-B 12.1 12.1.5 through 12.1.6 Upgrade to 12.1.7 or later.\n 12.1.2 through 12.1.4-h* Upgrade to 12.1.4-h5 or 12.1.7 or later.\nWildFire WF-500 and WF-500-B 11.2 11.2.11 or later Upgrade to 11.2.12 or later.\n 11.2.8 through 11.2.10-h* Upgrade to 11.2.10-h6 or 11.2.12 or later.\n 11.2.5 through 11.2.7-h* Upgrade to 11.2.7-h13 or 11.2.12 or later.\n 11.2.0 through 11.2.4-h* Upgrade to 11.2.4-h17 or 11.2.12 or later.\nWildFire WF-500 and WF-500-B 11.1 11.1.14 or later Upgrade to 11.1.15 or later.\n 11.1.11 through 11.1.13-h* Upgrade to 11.1.13-h5 or 11.1.15 or later.\n 11.1.8 through 11.1.10-h* Upgrade to 11.1.10-h25 or 11.1.15 or later.\n 11.1.7 through 11.1.7-h* Upgrade to 11.1.7-h6 or 11.1.15 or later.\n 11.1.5 through 11.1.6-h* Upgrade to 11.1.6-h32 or 11.1.15 or later.\n 11.1.0 through 11.1.4-h* Upgrade to 11.1.4-h33 or 11.1.15 or later.\nWildFire WF-500 and WF-500-B 10.2 10.2.17 through 10.2.18-h* Upgrade to 10.2.18-h6 or later.\n 10.2.14 through 10.2.16-h* Upgrade to 10.2.16-h7 or 10.2.18-h6 or later.\n 10.2.11 through 10.2.13-h* Upgrade to 10.2.13-h21 or 10.2.18-h6 or later.\n 10.2.8 through 10.2.10-h* Upgrade to 10.2.10-h36 or 10.2.18-h6 or later.\n 10.2.0 through 10.2.7-h* Upgrade to 10.2.7-h34 or 10.2.18-h6 or later.\nWildFire WF-500 and WF-500-B 10.1 All (EoL) No fix planned. Upgrade to a supported version.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<table class=\"tbl\"><thead><tr><th>Version</th><th>Minor Version Range</th><th>Suggested Solution</th></tr></thead><tbody><tr><td>WildFire WF-500 and WF-500-B 12.1</td><td>12.1.5 through 12.1.6</td><td>Upgrade to 12.1.7 or later.</td></tr><tr><td><br></td><td>12.1.2 through 12.1.4-h*</td><td>Upgrade to 12.1.4-h5 or 12.1.7 or later.</td></tr><tr><td>WildFire WF-500 and WF-500-B 11.2</td><td>11.2.11 or later</td><td>Upgrade to 11.2.12 or later.</td></tr><tr><td><br></td><td>11.2.8 through 11.2.10-h*</td><td>Upgrade to 11.2.10-h6 or 11.2.12 or later.</td></tr><tr><td><br></td><td>11.2.5 through 11.2.7-h*</td><td>Upgrade to 11.2.7-h13 or 11.2.12 or later.</td></tr><tr><td><br></td><td>11.2.0 through 11.2.4-h*</td><td>Upgrade to 11.2.4-h17 or 11.2.12 or later.</td></tr><tr><td>WildFire WF-500 and WF-500-B 11.1</td><td>11.1.14 or later</td><td>Upgrade to 11.1.15 or later.</td></tr><tr><td><br></td><td>11.1.11 through 11.1.13-h*</td><td>Upgrade to 11.1.13-h5 or 11.1.15 or later.</td></tr><tr><td><br></td><td>11.1.8 through 11.1.10-h*</td><td>Upgrade to 11.1.10-h25 or 11.1.15 or later.</td></tr><tr><td><br></td><td>11.1.7 through 11.1.7-h*</td><td>Upgrade to 11.1.7-h6 or 11.1.15 or later.</td></tr><tr><td><br></td><td>11.1.5 through 11.1.6-h*</td><td>Upgrade to 11.1.6-h32 or 11.1.15 or later.</td></tr><tr><td><br></td><td>11.1.0 through 11.1.4-h*</td><td>Upgrade to 11.1.4-h33 or 11.1.15 or later.</td></tr><tr><td>WildFire WF-500 and WF-500-B 10.2</td><td>10.2.17 through 10.2.18-h*</td><td>Upgrade to 10.2.18-h6 or later.</td></tr><tr><td><br></td><td>10.2.14 through 10.2.16-h*</td><td>Upgrade to 10.2.16-h7 or 10.2.18-h6 or later.</td></tr><tr><td><br></td><td>10.2.11 through 10.2.13-h*</td><td>Upgrade to 10.2.13-h21 or 10.2.18-h6 or later.</td></tr><tr><td><br></td><td>10.2.8 through 10.2.10-h*</td><td>Upgrade to 10.2.10-h36 or 10.2.18-h6 or later.</td></tr><tr><td><br></td><td>10.2.0 through 10.2.7-h*</td><td>Upgrade to 10.2.7-h34 or 10.2.18-h6 or later.</td></tr><tr><td>WildFire WF-500 and WF-500-B 10.1<br></td><td>&nbsp;All (EoL)</td><td>No fix planned. Upgrade to a supported version.</td></tr></tbody></table>"}]}], "exploits": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Palo Alto Networks is not aware of any malicious exploitation of this issue.</p>"}]}], "timeline": [{"time": "2026-05-13T16:00:00.000Z", "lang": "en", "value": "Initial publication."}], "credits": [{"lang": "en", "value": "Palo Alto Networks thanks our internal security research teams for discovering and reporting this issue.", "type": "other"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "x_affectedList": ["WildFire WF-500 and WF-500-B 12.1.0", "WildFire WF-500 and WF-500-B 12.1.1", "WildFire WF-500 and WF-500-B 12.1.2", "WildFire WF-500 and WF-500-B 12.1.3", "WildFire WF-500 and WF-500-B 11.2.0", "WildFire WF-500 and WF-500-B 11.2.1", "WildFire WF-500 and WF-500-B 11.2.2", "WildFire WF-500 and WF-500-B 11.2.3", "WildFire WF-500 and WF-500-B 11.1.0", "WildFire WF-500 and WF-500-B 11.1.1", "WildFire WF-500 and WF-500-B 11.1.2", "WildFire WF-500 and WF-500-B 11.1.3", "WildFire WF-500 and WF-500-B 10.2.0", "WildFire WF-500 and WF-500-B 10.2.1", "WildFire WF-500 and WF-500-B 10.2.2", "WildFire WF-500 and WF-500-B 10.2.3", "WildFire WF-500 and WF-500-B 10.2.4", "WildFire WF-500 and WF-500-B 10.2.5", "WildFire WF-500 and WF-500-B 10.2.6"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-13T18:56:39.294156Z", "id": "CVE-2026-0259", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-13T18:57:18.638Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0259", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-13T18:56:39.294156Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-13T18:57:10.236Z"}}], "cna": {"title": "WildFire WF-500 and WF-500-B: Arbitrary File Read and Delete Vulnerability in WildFire Appliance (WF-500, WF-500-B)", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "other", "value": "Palo Alto Networks thanks our internal security research teams for discovering and reporting this issue."}], "impacts": [{"capecId": "CAPEC-597", "descriptions": [{"lang": "en", "value": "CAPEC-597 Absolute Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 5, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:C/RE:M/U:Amber", "exploitMaturity": "UNREPORTED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Palo Alto Networks", "product": "WildFire WF-500 and WF-500-B", "versions": [{"status": "affected", "changes": [{"at": "12.1.7", "status": "unaffected"}, {"at": "12.1.4-h5", "status": "unaffected"}], "version": "12.1.0", "lessThan": "12.1.7, 12.1.4-h5", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "11.2.12", "status": "unaffected"}, {"at": "11.2.10-h6", "status": "unaffected"}, {"at": "11.2.7-h13", "status": "unaffected"}, {"at": "11.2.4-h17", "status": "unaffected"}], "version": "11.2.0", "lessThan": "11.2.11,11.2.7-h7", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "11.1.15", "status": "unaffected"}, {"at": "11.1.13-h5", "status": "unaffected"}, {"at": "11.1.10-h25", "status": "unaffected"}, {"at": "11.1.7-h6", "status": "unaffected"}, {"at": "11.1.6-h32", "status": "unaffected"}, {"at": "11.1.4-h33", "status": "unaffected"}], "version": "11.1.0", "lessThan": "11.1.13,11.1.10-h8", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "10.2.18-h6", "status": "unaffected"}, {"at": "10.2.16-h7", "status": "unaffected"}, {"at": "10.2.13-h21", "status": "unaffected"}, {"at": "10.2.10-h36", "status": "unaffected"}, {"at": "10.2.7-h34", "status": "unaffected"}], "version": "10.2.0", "lessThan": "10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, 10.2.7-h34", "versionType": "custom"}], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Palo Alto Networks is not aware of any malicious exploitation of this issue.</p>", "base64": false}]}], "timeline": [{"lang": "en", "time": "2026-05-13T16:00:00.000Z", "value": "Initial publication."}], "solutions": [{"lang": "eng", "value": "VERSION MINOR VERSION RANGE SUGGESTED SOLUTION\nWildFire WF-500 and WF-500-B 12.1 12.1.5 through 12.1.6 Upgrade to 12.1.7 or later.\n 12.1.2 through 12.1.4-h* Upgrade to 12.1.4-h5 or 12.1.7 or later.\nWildFire WF-500 and WF-500-B 11.2 11.2.11 or later Upgrade to 11.2.12 or later.\n 11.2.8 through 11.2.10-h* Upgrade to 11.2.10-h6 or 11.2.12 or later.\n 11.2.5 through 11.2.7-h* Upgrade to 11.2.7-h13 or 11.2.12 or later.\n 11.2.0 through 11.2.4-h* Upgrade to 11.2.4-h17 or 11.2.12 or later.\nWildFire WF-500 and WF-500-B 11.1 11.1.14 or later Upgrade to 11.1.15 or later.\n 11.1.11 through 11.1.13-h* Upgrade to 11.1.13-h5 or 11.1.15 or later.\n 11.1.8 through 11.1.10-h* Upgrade to 11.1.10-h25 or 11.1.15 or later.\n 11.1.7 through 11.1.7-h* Upgrade to 11.1.7-h6 or 11.1.15 or later.\n 11.1.5 through 11.1.6-h* Upgrade to 11.1.6-h32 or 11.1.15 or later.\n 11.1.0 through 11.1.4-h* Upgrade to 11.1.4-h33 or 11.1.15 or later.\nWildFire WF-500 and WF-500-B 10.2 10.2.17 through 10.2.18-h* Upgrade to 10.2.18-h6 or later.\n 10.2.14 through 10.2.16-h* Upgrade to 10.2.16-h7 or 10.2.18-h6 or later.\n 10.2.11 through 10.2.13-h* Upgrade to 10.2.13-h21 or 10.2.18-h6 or later.\n 10.2.8 through 10.2.10-h* Upgrade to 10.2.10-h36 or 10.2.18-h6 or later.\n 10.2.0 through 10.2.7-h* Upgrade to 10.2.7-h34 or 10.2.18-h6 or later.\nWildFire WF-500 and WF-500-B 10.1 All (EoL) No fix planned. Upgrade to a supported version.", "supportingMedia": [{"type": "text/html", "value": "<table class=\"tbl\"><thead><tr><th>Version</th><th>Minor Version Range</th><th>Suggested Solution</th></tr></thead><tbody><tr><td>WildFire WF-500 and WF-500-B 12.1</td><td>12.1.5 through 12.1.6</td><td>Upgrade to 12.1.7 or later.</td></tr><tr><td><br></td><td>12.1.2 through 12.1.4-h*</td><td>Upgrade to 12.1.4-h5 or 12.1.7 or later.</td></tr><tr><td>WildFire WF-500 and WF-500-B 11.2</td><td>11.2.11 or later</td><td>Upgrade to 11.2.12 or later.</td></tr><tr><td><br></td><td>11.2.8 through 11.2.10-h*</td><td>Upgrade to 11.2.10-h6 or 11.2.12 or later.</td></tr><tr><td><br></td><td>11.2.5 through 11.2.7-h*</td><td>Upgrade to 11.2.7-h13 or 11.2.12 or later.</td></tr><tr><td><br></td><td>11.2.0 through 11.2.4-h*</td><td>Upgrade to 11.2.4-h17 or 11.2.12 or later.</td></tr><tr><td>WildFire WF-500 and WF-500-B 11.1</td><td>11.1.14 or later</td><td>Upgrade to 11.1.15 or later.</td></tr><tr><td><br></td><td>11.1.11 through 11.1.13-h*</td><td>Upgrade to 11.1.13-h5 or 11.1.15 or later.</td></tr><tr><td><br></td><td>11.1.8 through 11.1.10-h*</td><td>Upgrade to 11.1.10-h25 or 11.1.15 or later.</td></tr><tr><td><br></td><td>11.1.7 through 11.1.7-h*</td><td>Upgrade to 11.1.7-h6 or 11.1.15 or later.</td></tr><tr><td><br></td><td>11.1.5 through 11.1.6-h*</td><td>Upgrade to 11.1.6-h32 or 11.1.15 or later.</td></tr><tr><td><br></td><td>11.1.0 through 11.1.4-h*</td><td>Upgrade to 11.1.4-h33 or 11.1.15 or later.</td></tr><tr><td>WildFire WF-500 and WF-500-B 10.2</td><td>10.2.17 through 10.2.18-h*</td><td>Upgrade to 10.2.18-h6 or later.</td></tr><tr><td><br></td><td>10.2.14 through 10.2.16-h*</td><td>Upgrade to 10.2.16-h7 or 10.2.18-h6 or later.</td></tr><tr><td><br></td><td>10.2.11 through 10.2.13-h*</td><td>Upgrade to 10.2.13-h21 or 10.2.18-h6 or later.</td></tr><tr><td><br></td><td>10.2.8 through 10.2.10-h*</td><td>Upgrade to 10.2.10-h36 or 10.2.18-h6 or later.</td></tr><tr><td><br></td><td>10.2.0 through 10.2.7-h*</td><td>Upgrade to 10.2.7-h34 or 10.2.18-h6 or later.</td></tr><tr><td>WildFire WF-500 and WF-500-B 10.1<br></td><td>&nbsp;All (EoL)</td><td>No fix planned. Upgrade to a supported version.</td></tr></tbody></table>", "base64": false}]}], "datePublic": "2026-05-13T16:00:00.000Z", "references": [{"url": "https://security.paloaltonetworks.com/CVE-2026-0259", "tags": ["vendor-advisory"]}], "workarounds": [{"lang": "eng", "value": "For airgapped deployments, we strongly recommend that you secure WildFire 500 appliances by restricting access to only trusted internal IP addresses.\n\nCustomers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510010 (Applications and Threats content version 9100-10044 and later).\n\n\nPlease note that this Threat ID requires SSL Decryption.", "supportingMedia": [{"type": "text/html", "value": "<p>For airgapped deployments, we strongly recommend that you secure WildFire 500 appliances by restricting access to only trusted internal IP addresses.</p><p>Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510010 (Applications and Threats content version 9100-10044 and later). <br></p><b></b><p>Please note that this Threat ID requires SSL Decryption.</p>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire\u00ae WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode.\n\n\n\nThe WildFire Appliance (WF-500, WF-500-B) software update is now available to customers that use the WildFire Appliance (WF-500, WF-500-B) for on-premise sandboxing.\n\n\n\nPlease note that customers using the WildFire Public cloud service are NOT impacted by this vulnerability.", "supportingMedia": [{"type": "text/html", "value": "<p>An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire\u00ae WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode.</p><p>The WildFire Appliance (WF-500, WF-500-B) software update is now available to customers that use the WildFire Appliance (WF-500, WF-500-B) for on-premise sandboxing.</p><p>Please note that customers using the WildFire Public cloud service are NOT impacted by this vulnerability.<br></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "configurations": [{"lang": "eng", "value": "No special configuration is required to be affected by this issue.", "supportingMedia": [{"type": "text/html", "value": "No special configuration is required to be affected by this issue.", "base64": false}]}], "x_affectedList": ["WildFire WF-500 and WF-500-B 12.1.0", "WildFire WF-500 and WF-500-B 12.1.1", "WildFire WF-500 and WF-500-B 12.1.2", "WildFire WF-500 and WF-500-B 12.1.3", "WildFire WF-500 and WF-500-B 11.2.0", "WildFire WF-500 and WF-500-B 11.2.1", "WildFire WF-500 and WF-500-B 11.2.2", "WildFire WF-500 and WF-500-B 11.2.3", "WildFire WF-500 and WF-500-B 11.1.0", "WildFire WF-500 and WF-500-B 11.1.1", "WildFire WF-500 and WF-500-B 11.1.2", "WildFire WF-500 and WF-500-B 11.1.3", "WildFire WF-500 and WF-500-B 10.2.0", "WildFire WF-500 and WF-500-B 10.2.1", "WildFire WF-500 and WF-500-B 10.2.2", "WildFire WF-500 and WF-500-B 10.2.3", "WildFire WF-500 and WF-500-B 10.2.4", "WildFire WF-500 and WF-500-B 10.2.5", "WildFire WF-500 and WF-500-B 10.2.6"], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "12.1.7_12.1.4-h5", "versionStartIncluding": "12.1.0"}, {"criteria": "cpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "11.2.11_11.2.7-h7", "versionStartIncluding": "11.2.0"}, {"criteria": "cpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "11.1.13_11.1.10-h8", "versionStartIncluding": "11.1.0"}, {"criteria": "cpe:2.3:a:palo_alto_networks:wildfire_wf-500_and_wf-500-b:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "10.2.18-h6_10.2.16-h7_10.2.13-h21_10.2.10-h36_10.2.7-h34", "versionStartIncluding": "10.2.0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2026-05-13T18:05:45.862Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0259", "state": "PUBLISHED", "dateUpdated": "2026-05-13T18:57:18.638Z", "dateReserved": "2025-11-03T20:44:19.922Z", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "datePublished": "2026-05-13T18:05:45.862Z", "assignerShortName": "palo_alto"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire\u00ae WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode.\n\n\n\nThe WildFire Appliance (WF-500, WF-500-B) software update is now available to customers that use the WildFire Appliance (WF-500, WF-500-B) for on-premise sandboxing.\n\n\n\nPlease note that customers using the WildFire Public cloud service are NOT impacted by this vulnerability."}], "id": "CVE-2026-0259", "lastModified": "2026-05-14T16:21:23.190", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}]}, "published": "2026-05-13T19:17:01.873", "references": [{"source": "psirt@paloaltonetworks.com", "url": "https://security.paloaltonetworks.com/CVE-2026-0259"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.1.0,12.1.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.2.0,11.2.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.1.0,11.1.13)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.2.0,10.2.18-h6)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "WildFire WF-500 and WF-500-B", "source": "cna", "vendor": "Palo Alto Networks"}, "product": "wildfire_wf-500_and_wf-500-b", "vendor": "palo_alto_networks"}], "created": "2026-05-13T19:45:03.826869+00:00", "updated": "2026-05-13T21:45:04.994384+00:00", "vendors": ["palo_alto_networks", "palo_alto_networks$PRODUCT$wildfire_wf-500_and_wf-500-b"]}