Broadcom Patches Stored XSS Flaws in VMware Cloud Foundation Operations
Broadcom has released VMSA-2026-0004 to fix three stored cross-site scripting vulnerabilities in VMware Cloud Foundation Operations, tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724. The flaws affect VMware Cloud Foundation Operations and related enterprise cloud environments, including VMware Aria Operations, VMware Telco Cloud Platform, and VMware vSphere Foundation deployments. Broadcom rated the issues Important, with a maximum CVSS v3.1 score of 8.0 and vector AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.
According to the advisory, an authenticated user with privileges to create policies, views, or text widgets could inject malicious scripts that execute when viewed and potentially perform administrative actions inside the platform. Broadcom said the vulnerabilities were privately reported and published remediation guidance, including upgrading Aria Operations to version 8.18.6. Organizations running affected VMware management platforms have been urged to review exposed deployments and apply the available patches promptly.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Broadcom issues VMSA-2026-0004 with remediation guidance
Broadcom issued security advisory VMSA-2026-0004 addressing the three stored XSS vulnerabilities in VMware Cloud Foundation Operations and related products. The advisory included remediation guidance, including upgrading VMware Aria Operations to fixed version 8.18.6.
VMware discloses three stored XSS flaws in Cloud Foundation Operations
On June 8, 2026, VMware/Broadcom disclosed CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724 affecting VMware Cloud Foundation Operations. The flaws are stored cross-site scripting issues that could let a privileged user inject scripts and perform administrative actions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
VMware Stored XSS Bugs Patched in Broadcom Security Updates
securityonline.info
Open sourceCVE-2026-41724 - VMSA-2026-0004: VMware Cloud Foundation Operations updates address multiple vulnerabilities (CVE-2026-41722, CVE-2026-41723 and CVE-2026-41724)
cvefeed.io
Open sourceCVE-2026-41723 - VMSA-2026-0004: VMware Cloud Foundation Operations updates address multiple vulnerabilities (CVE-2026-41722, CVE-2026-41723 and CVE-2026-41724)
cvefeed.io
Open sourceCVE-2026-41722 - VMSA-2026-0004: VMware Cloud Foundation Operations updates address multiple vulnerabilities (CVE-2026-41722, CVE-2026-41723 and CVE-2026-41724)
cvefeed.io
Open sourceSupport Content Notification - Support Portal - Broadcom support portal
support.broadcom.com
Open sourceWarning: 3 high Cross-Site Scripting (XSS) in VMware (Telco) Cloud/vSphere Foundation & Aria Operations, Patch Immediately! | CCB Belgium
ccb.belgium.be
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Broadcom Patches VMware Aria Operations Flaws Enabling RCE During Support-Assisted Migrations
Broadcom issued advisory **VMSA-2026-0001** for **VMware Aria Operations** (formerly *vRealize Operations*), warning of three vulnerabilities affecting Aria Operations and bundled platforms including **VMware Cloud Foundation** and **VMware Telco Cloud**. The most severe issue, **CVE-2026-22719** (CVSS 8.1), is a **command injection** flaw that can be exploited by an **unauthenticated** attacker to execute arbitrary commands and potentially achieve **remote code execution** specifically **while a support-assisted product migration is in progress**. Broadcom released patches and also documented a workaround for CVE-2026-22719 in its response matrix/KB guidance. The advisory also covers **CVE-2026-22720** (CVSS 8.0), a **stored XSS** issue where a user with privileges to create custom benchmarks can inject script to perform administrative actions, and **CVE-2026-22721** (CVSS 6.2), a **privilege escalation** path where a user with vCenter access to Aria Operations can elevate to administrative control. Researchers **Sven Nobis** and **Lorin Lehawany** of **ERNW** were credited with reporting at least part of the findings. Impacted deployments include Aria Operations 8.x and related bundles across Cloud Foundation and Telco Cloud product lines; Broadcom’s fixed versions include updates such as Aria Operations **8.18.6** and Cloud Foundation **9.0.2.0**, and organizations are advised to prioritize upgrades due to the lack of workarounds for the XSS and privilege-escalation issues.
Mar 21, 2026
VMware vCenter Flaws Prompt Patches for RCE and Command Execution Risks
Broadcom issued **VMSA-2025-0010** to fix four vulnerabilities across VMware ESXi, vCenter Server, Workstation, Fusion, Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure, led by **CVE-2025-41225**, an authenticated command-execution flaw in **vCenter Server** with a **CVSS 8.8** score. According to the advisory, an attacker able to create or modify alarms and run script actions could exploit the bug, while additional fixes address **CVE-2025-41226** and **CVE-2025-41227** denial-of-service issues and **CVE-2025-41228**, a reflected **XSS** flaw affecting ESXi and vCenter Server. VMware said patches are available for all affected products and that **no workarounds** exist. The latest advisory follows earlier VMware warnings over serious **vCenter Server** weaknesses, including **VMSA-2024-0012**, which disclosed **CVE-2024-37079**, **CVE-2024-37080**, and **CVE-2024-37081** as memory-management and corruption flaws that could enable **remote code execution** in vCenter services. VMware said at the time it had no evidence of active exploitation, but urged customers to apply the listed patch versions because no official mitigations were provided; public GitHub material later appeared referencing **CVE-2024-37081**, underscoring continued security attention on vCenter exposure.
May 26, 2026
Critical RCE Flaws Disclosed in Ivanti CSA and VMware vCenter
Critical vulnerabilities were disclosed in **Ivanti Cloud Services Application (CSA)** and **VMware vCenter Server** products, exposing enterprise management platforms to remote compromise. Ivanti said CSA `5.0.2` and earlier contain three flaws—`CVE-2024-11639`, `CVE-2024-11772`, and `CVE-2024-11773`—that can enable authentication bypass, remote code execution, and arbitrary SQL query execution through the administrator browser console, with the most severe issues rated **CVSS 10.0**. Ivanti released fixes in CSA `5.0.3` and urged customers to update immediately. VMware also disclosed two vulnerabilities affecting **vCenter Server** and **VMware Cloud Foundation**: `CVE-2024-38812`, a heap overflow that can allow arbitrary code execution, and `CVE-2024-38813`, which can enable privilege escalation to root. The flaws affect vCenter Server `7.0` and `8.0` as well as VMware Cloud Foundation `4.x` and `5.x`, and can be exploited remotely over the network using specially crafted packets. In both vendor notices, no active exploitation had been confirmed at the time of disclosure, but organizations and service providers were advised to apply vendor-fixed versions without delay because successful attacks could result in full administrative compromise.
Apr 24, 2026