Broadcom has released an urgent security advisory, VMSA-2026-0004, disclosing three stored cross-site scripting (XSS) vulnerabilities in VMware Cloud Foundation Operations and related products.
Tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, all three flaws carry a CVSSv3 base score of 8.0, placing them firmly in the “Important” severity category. The vulnerabilities were privately reported and patched on June 8, 2026, with no known active exploitation at the time of disclosure.
All three CVEs are stored (persistent) cross-site scripting vulnerabilities embedded within VMware Cloud Foundation Operations, Broadcom’s unified cloud management and monitoring platform.
Unlike reflected XSS, stored XSS injects malicious scripts directly into the application’s database or storage layer, meaning every subsequent user who accesses the affected component automatically triggers the payload without any additional attacker interaction.
The core attack vector here is particularly concerning for enterprise environments: a threat actor with low-level authenticated privileges, specifically the ability to create policies, views, or text widgets, can inject malicious JavaScript that executes in the context of a higher-privileged administrator’s browser session.
In practical terms, this means an attacker with a basic user account could silently hijack an admin session, exfiltrate credentials, pivot laterally, or make unauthorized configuration changes across the entire VMware environment.
The CVSSv3 vector string AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H confirms network-based exploitation with low attack complexity, reflecting how straightforward the attack path is once an adversary has any foothold inside the management interface.
Affected Products and Versions
The advisory covers a wide surface area of Broadcom’s virtualization and cloud product portfolio:
- VMware Aria Operations — versions 8.x
- VMware Cloud Foundation Operations — versions 9.0.x.x and 9.1.x.x
- VMware Cloud Foundation — versions 5.x and 9.x
- VMware vSphere Foundation — versions 9.x
- VMware Telco Cloud Platform — version 5.x
The breadth of affected products underscores how deeply VMware Cloud Foundation Operations is embedded across enterprise data centers, telco infrastructure, and hybrid cloud deployments. Organizations running any of these platforms without patching should treat remediation as a priority task.
Fixed Versions
Broadcom has confirmed patches for all affected versions. Here are the fixed releases:
- VMware Cloud Foundation 9.1.x.x → Update to 9.1.0.0 (addresses CVE-2026-41722 and CVE-2026-41723)
- VMware Cloud Foundation 9.0.x.x → Update to 9.0.2.0 EP2 (addresses CVE-2026-41722 and CVE-2026-41723)
- VMware Aria Operations 8.x → Update to 8.18.6 (CVE-2026-41722, CVE-2026-41723) or 8.18.7 (all three CVEs)
- VMware Cloud Foundation 5.x → Update VMware Aria Operations to 8.18.7
- VMware Telco Cloud Platform 5.x → Apply patch per KB443138
Broadcom has confirmed no workarounds exist for any of the three vulnerabilities, making patching the only available remediation path. This is a critical detail that administrators should not overlook there is no temporary mitigation available while patch deployment is scheduled.
Stored XSS vulnerabilities in cloud management platforms represent a particularly high-risk class of flaw. Management planes like VMware Cloud Foundation Operations have sweeping visibility and control over an organization’s entire virtualized infrastructure: compute, storage, networking, and policy enforcement. A successful exploitation chain could allow an attacker to:
- Steal session tokens of administrators managing thousands of virtual machines
- Modify cloud policies and security configurations without triggering traditional alerting
- Create persistent backdoor access by injecting scripts that execute on every admin login
- Pivot deeper into connected VMware environments such as vCenter, NSX, or vSAN
The fact that these vulnerabilities were discovered by Alexis Bernazzani of Visa Inc. and reported to Broadcom through responsible disclosure channels suggests they were not yet publicly weaponized, but the relatively low barrier to exploitation (requiring only standard user privileges) means that proof-of-concept code could emerge quickly now that the advisory is public.
Mitigation
Security and operations teams should take the following actions immediately:
- Audit your environment for all VMware Aria Operations, VCF Operations, vSphere Foundation, and Telco Cloud Platform deployments
- Cross-reference installed versions against the affected version matrix in VMSA-2026-0004
- Apply the appropriate patch prioritize environments where multiple user roles have widget or policy creation access
- Review audit logs for any anomalous widget, view, or policy creation activity dating back 30–60 days
- Restrict access to the VCF Operations management UI to trusted IP ranges and enforce MFA for all admin accounts as a defense-in-depth measure
Broadcom’s Broadcom Support Portal and TechDocs provide direct download links for all patch packages and detailed upgrade procedures for each affected product line.
Frequently Asked Questions
Q1: What is the CVSSv3 score for CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724?All three vulnerabilities carry a CVSSv3 base score of 8.0, rated “Important” severity by Broadcom.
Q2: Is there a workaround available for the VMware Cloud Foundation XSS vulnerabilities? No, Broadcom has confirmed there are no workarounds, and applying the patched versions is the only remediation.
Q3: Who discovered the VMSA-2026-0004 vulnerabilities? Security researcher Alexis Bernazzani from Visa Inc. discovered and responsibly disclosed all three vulnerabilities to Broadcom.
Q4: Which VMware Aria Operations version fully patches all three CVEs? VMware Aria Operations version 8.18.7 is the first release to fully address all three CVEs CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
