VMware Cloud Foundation Operations XSS Flaws Let Attackers Inject Scripts for Admin Actions
7 min. read 
Published on
Broadcom has patched three stored cross-site scripting vulnerabilities in VMware Cloud Foundation Operations that could let authenticated attackers inject malicious scripts and perform administrative actions inside affected environments.
The flaws are tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724. Broadcom disclosed the issues in VMSA-2026-0004, published on June 8, 2026.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Each vulnerability has a CVSSv3 base score of 8.0 and falls in Broadcom’s Important severity range. Broadcom says there are no workarounds, so administrators need to apply the fixed versions listed in the advisory.
Authenticated attackers could abuse policies, views, and text widgets
The vulnerabilities affect VMware Cloud Foundation Operations and related products. Broadcom says an attacker needs privileges to create policies, views, or text widgets before they can inject malicious scripts.
That requirement limits exploitation to authenticated users with specific rights, but the risk remains serious. If a payload is stored inside a management object and later viewed by an administrator, the script can run in that administrator’s browser session.
NVD describes CVE-2026-41722 as one of the stored XSS issues that can let a malicious actor with the right privileges inject scripts to perform administrative actions in VMware Cloud Foundation Operations.
| CVE | Type | CVSSv3 score | Attack requirement |
|---|---|---|---|
| CVE-2026-41722 | Stored cross-site scripting | 8.0 | Authenticated access with rights to create affected objects |
| CVE-2026-41723 | Stored cross-site scripting | 8.0 | Authenticated access with rights to create affected objects |
| CVE-2026-41724 | Stored cross-site scripting | 8.0 | Authenticated access with rights to create affected objects |
Why stored XSS matters in VMware management tools
Stored XSS is more dangerous than a one-time reflected script because the malicious content remains saved on the server. The payload can execute repeatedly whenever another user opens the affected page or object.
In an operations platform, that can create a privilege escalation path. A lower-privileged user who can create a view or text widget could plant a script that later runs when an administrator loads it.
The weakness maps to CWE-79, which MITRE defines as improper neutralization of input during web page generation, commonly known as cross-site scripting.
- The attacker must already have authenticated access.
- The attacker needs permissions to create policies, views, or text widgets.
- The injected script can persist inside the VMware management interface.
- The payload can run when another user opens the affected object.
- The impact can include administrative actions in VMware Cloud Foundation Operations.
Broadcom lists VMware Aria Operations and Cloud Foundation products as affected
The advisory covers VMware Aria Operations, VMware Cloud Foundation Operations, VMware Cloud Foundation, VMware vSphere Foundation, and VMware Telco Cloud Platform.
NVD says CVE-2026-41723 has the same attacker profile and impact language as the other two issues. VMware is listed as the source, and the CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.
The vector shows why the score reaches 8.0. The attack can occur over the network, needs low attack complexity, requires low privileges, and depends on user interaction, while the confidentiality, integrity, and availability impacts are all marked high.
| Product | Component | Affected version | Fixed version |
|---|---|---|---|
| VMware Cloud Foundation / VMware vSphere Foundation | VMware Cloud Foundation Operations | 9.1.x.x | 9.1.0.0 |
| VMware Cloud Foundation / VMware vSphere Foundation | VMware Cloud Foundation Operations | 9.0.x.x | 9.0.2.0 EP2 |
| VMware Aria Operations | N/A | 8.x | 8.18.6 for CVE-2026-41722 and CVE-2026-41723 |
| VMware Aria Operations | N/A | 8.x | 8.18.7 for all three CVEs |
| VMware Cloud Foundation | VMware Aria Operations | 5.x | 8.18.7 |
| VMware Telco Cloud Platform | VMware Aria Operations | 5.x | KB443138 |
No workaround is available, so patching is the priority
Broadcom says there are no workarounds for these vulnerabilities. That makes version upgrades and patch deployment the main remediation path for exposed environments.
Administrators should review the response matrix carefully because not every affected product maps to the same fixed release. VMware Aria Operations 8.x, for example, has entries for both 8.18.6 and 8.18.7 depending on which CVEs an organization needs to address.
NVD’s CVE-2026-41724 record also lists the issue as undergoing enrichment, with VMware as the source and Broadcom’s advisory as the linked vendor reference.
- Identify all VMware Cloud Foundation Operations and VMware Aria Operations deployments.
- Check whether the environment runs 9.1.x.x, 9.0.x.x, 8.x, or 5.x product lines.
- Apply the correct fixed version from Broadcom’s response matrix.
- Restrict who can create policies, views, and text widgets while patching is underway.
- Review recent changes to views, policies, dashboards, and widgets for unexpected script content.
Security teams should review roles and audit suspicious objects
Because exploitation requires existing access, organizations should not treat this only as a patching issue. Role assignments and object-creation rights also need review.
Accounts that can create or edit policies, views, and text widgets should be limited to users who truly need those permissions. Shared admin accounts, stale contractor access, and overly broad custom roles increase the risk of abuse.
Security teams should also check logs for suspicious changes to management objects. A stored XSS payload may appear as unusual HTML, script tags, event handlers, encoded JavaScript, or unexpected external references inside user-editable fields.
| Defensive action | Why it matters |
|---|---|
| Patch affected products | Broadcom has not provided a workaround. |
| Limit object-creation permissions | The attack requires rights to create policies, views, or text widgets. |
| Audit recent object changes | Stored XSS payloads can persist in saved management objects. |
| Review admin sessions | The impact depends on scripts running in another user’s browser context. |
| Monitor for unusual administrative actions | A successful payload could act through a higher-privileged session. |
VMware administrators should act quickly
These issues do not appear to allow unauthenticated remote code execution, but they still matter because they affect management software used to oversee virtualized infrastructure.
A stored XSS flaw in an operations console can give attackers a way to move from limited authenticated access to actions performed through another user’s session. In environments where VMware management tools control critical infrastructure, that can create meaningful operational risk.
The safest path is to apply the fixed versions in Broadcom’s VMSA-2026-0004 advisory, then validate that no suspicious objects remain in the environment.
Teams should also use the NVD entry for CVE-2026-41722, NVD entry for CVE-2026-41723, and NVD entry for CVE-2026-41724 to track enrichment, weakness mapping, and any future reference updates.
These vulnerabilities also reinforce a common web security lesson. Input that appears only inside an admin console still needs strong sanitization and output encoding because management interfaces are high-value targets. The CWE-79 weakness remains especially dangerous when it affects tools trusted by administrators.
FAQ
Broadcom disclosed three stored cross-site scripting vulnerabilities tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724. They affect VMware Cloud Foundation Operations and related Broadcom VMware products.
Broadcom rates the vulnerabilities as Important, with a maximum CVSSv3 base score of 8.0. NVD lists the VMware CNA score as 8.0 High for the CVEs.
No. Broadcom says exploitation requires a malicious actor to have privileges to create policies, views, or text widgets. However, the attacker may be able to inject scripts that perform administrative actions when viewed by another user.
No workaround is available according to Broadcom. Administrators need to apply the patches and fixed versions listed in the official response matrix.
The advisory lists VMware Aria Operations, VMware Cloud Foundation Operations, VMware Cloud Foundation, VMware vSphere Foundation, and VMware Telco Cloud Platform as impacted products.
Administrators should review permissions for creating policies, views, and text widgets, audit recent object changes for suspicious script content, check administrative activity logs, and remove unnecessary high-privilege access.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages