Back

VMware Cloud Foundation Operations Faces Multiple Stored XSS Vulnerabilities

Severity: High (Score: 60.8)

Sources: Cybersecuritynews, Gbhackers, Heise.De, support.broadcom.com

Published: 2026-06-08 · Updated: 2026-06-08

Keywords: vmware, vulnerabilities, stored, operations, multiple, products, cross-site

Severity indicators: vulnerabilities, rat

Summary

Broadcom has disclosed three stored cross-site scripting (XSS) vulnerabilities in VMware Cloud Foundation Operations and related products. The vulnerabilities, tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, allow authenticated attackers to inject malicious scripts that can perform administrative actions. These vulnerabilities have a CVSS score of 8.0, indicating a high severity level. Affected products include VMware Cloud Foundation and vSphere Foundation versions 9.1.0 and 9.0.2.0 EP2, as well as VMware Aria Operations. Broadcom advises that no active exploitation has been reported, but administrators should apply patches immediately to mitigate risks. There are no temporary workarounds available; only updates to the patched versions will resolve the issues. The vulnerabilities were privately reported and have been addressed in security advisory VMSA-2026-0004. Key Points: • Three stored XSS vulnerabilities in VMware products allow script injection by authenticated users. • Affected products include VMware Cloud Foundation and vSphere Foundation versions 9.1.0 and 9.0.2.0 EP2. • Broadcom recommends immediate patching as there are no known workarounds for these vulnerabilities.

Detailed Analysis

**Impact** Organizations using VMware Cloud Foundation Operations and related products such as VMware vSphere Foundation, VMware Aria Operations, and VMware Telco Cloud Platform are affected. The vulnerabilities enable attackers with authenticated privileges to inject malicious scripts that execute administrative actions, potentially impacting operational integrity and security. No specific sectors, geographies, or data breach incidents have been reported. The maximum CVSSv3 base score is 8.0, indicating a high risk of exploitation. **Technical Details** Three stored cross-site scripting vulnerabilities (CVE-2026-41722, CVE-2026-41723, CVE-2026-41724) allow attackers with rights to create policies, views, or text widgets to inject scripts executed within VMware Cloud Foundation Operations. The attack vector requires authenticated access and targets the administrative interface, enabling script injection during the policy or widget creation process. No malware, tools, or IOCs have been disclosed. The vulnerabilities affect versions 9.1.0.0 and 9.0.2.0 EP2 of VMware Cloud Foundation and vSphere Foundation, as well as VMware Aria Operations 8.18.6/8.18.7 and VMware Telco Cloud Platform 5.x. **Recommended Response** Apply the patches and updates provided in VMware Security Advisory VMSA-2026-0004 immediately, specifically upgrading to VMware Cloud Foundation 9.1.0.0, vSphere Foundation 9.1.0.0, VMware Aria Operations 8.18.7, or the corresponding fixed versions for affected products. There are no known temporary workarounds; therefore, patching is the sole remediation. Monitor administrative interfaces for unusual script injection activity and restrict privileges to trusted users only. No additional detection rules or IOCs have been published at this time.

Source articles (4)

  • Multiple VMware Stored XSS Vulnerabilities Allow Attackers to Inject Malicious Scripts — Cybersecuritynews · 2026-06-08
    Broadcom has disclosed three stored cross-site scripting (XSS) vulnerabilities affecting VMware Cloud Foundation Operations and several related products, warning that authenticated attackers could inj…
  • VMware: Multiple products with stored cross-site scripting vulnerabilities — Heise.De · 2026-06-08
    Stored cross-site scripting vulnerabilities exist in VMware Cloud Foundation and related products. Attackers can use these to inject script code into victims. In a security advisory, Broadcom warns th…
  • Multiple VMware Stored XSS Flaw Enable Attackers to Inject Malicious Scripts — Gbhackers · 2026-06-08
    VMware has disclosed multiple high-severity stored cross-site scripting (XSS) vulnerabilities affecting VMware Cloud Foundation (VCF) Operations, potentially allowing attackers to inject malicious scr…
  • 37513 — support.broadcom.com · 2026-06-08
    VMSA-2026-0004: VMware Cloud Foundation Operations updates address multiple vulnerabilities (CVE-2026-41722, CVE-2026-41723 and CVE-2026-41724) VCF Operations VCF Operations/Automation (formerly VMwar…

Timeline

  • 2026-06-08 — Broadcom discloses XSS vulnerabilities: Broadcom published security advisory VMSA-2026-0004 detailing three stored XSS vulnerabilities in VMware products, urging immediate patching.
  • 2026-06-08 — CVE-2026-41722 published: CVE-2026-41722, a stored XSS vulnerability in VMware Cloud Foundation Operations, was published with a CVSS score of 8.0.
  • 2026-06-08 — CVE-2026-41723 published: CVE-2026-41723, another stored XSS vulnerability in VMware products, was disclosed alongside CVE-2026-41722 and CVE-2026-41724.
  • 2026-06-08 — CVE-2026-41724 published: CVE-2026-41724, the third stored XSS vulnerability affecting VMware Cloud Foundation Operations, was published with a high severity rating.

CVEs

  • CVE-2026-41722
  • CVE-2026-41723
  • CVE-2026-41724

Related entities

  • XSS (Vulnerability)
  • Cwe-79 - Cross-site Scripting (xss) (Cwe)
  • german.it (Domain)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • VMware (Tool)
  • VMware Aria Operations (Platform)
  • VMware Cloud Foundation (Platform)
  • VMware Cloud Foundation Operations (Platform)
  • VMware Telco Cloud Platform (Platform)
  • VMware VSphere Foundation (Platform)
  • VSphere Foundation (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed