On June 8, 2026, Broadcom published security advisory VMSA-2026-0004, covering three stored cross-site scripting (XSS) vulnerabilities in VMware Cloud Foundation Operations (formerly Aria Operations). The identifiers are CVE-2026-41722, CVE-2026-41723 and CVE-2026-41724, and all three carry the same score: CVSSv3 8.0, rated Important by Broadcom. Alexis Bernazzani of Visa Inc. reported the issues.
What it is
A stored XSS means the malicious code gets saved inside the platform itself and runs later, when another user loads the affected page. Here the entry point sits in three specific spots of the VMware Cloud Foundation Operations interface: creating policies, views and text widgets. An attacker with permission to create any of those elements can inject scripts that execute in the browser of whoever views them, including staff with administrative privileges.
Who it affects
Exploiting this requires more than being on the outside: you need an account with privileges to create policies, views or text widgets inside the platform. So it’s an authenticated-user attack with some level of access, not an anonymous attacker from the internet. In environments where operations are delegated across several teams, that doesn’t narrow the risk much. Any of those operators could escalate their actions into administrative tasks on the virtualization platform.
The affected versions and their fixes, per the advisory:
- VMware Cloud Foundation / vSphere Foundation 9.1.x.x → update to 9.1.0.0
- VMware Cloud Foundation / vSphere Foundation 9.0.x.x → update to 9.0.2.0 EP2
- VMware Aria Operations 8.x → 8.18.6 or 8.18.7
- VMware Cloud Foundation (Aria Operations) 5.x → 8.18.7
- VMware Telco Cloud Platform (Aria Operations) 5.x → see KB443138
If you run the virtualization layer with VMware ESXi and use Cloud Foundation Operations for monitoring and policies, this is yours to handle.
Severity
The CVSS 8.0 is high, but read it with context. This is not an unauthenticated remote execution: it requires an account with content-creation permissions. The serious part is what comes next. Through the injected script, an attacker can run administrative actions on the virtualization platform by riding the session of an administrator who loads the poisoned element. That turns an operator with limited permissions into someone able to act as an admin.
Mitigation
There is no alternative fix. Broadcom states it plainly in the advisory: for these three vulnerabilities, no workaround exists. The only path is updating to the fixed versions listed above.
While you plan the update, review who has permission to create policies, views and text widgets, and trim that list to the minimum. It doesn’t patch the flaw, but it limits who could abuse it. If you want to sort through the rest of the month’s advisories, we have a rundown in our article on the Xen security advisories XSA-491 to XSA-494, which landed the next day.