Description
VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able to inject script to perform administrative actions in VMware Aria Operations. 

To remediate CVE-2026-22720, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' of  VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947https:// .
Published: 2026-02-25
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross-site scripting allows execution of admin actions
Action: Patch
AI Analysis

Impact

VMware Aria Operations includes a stored cross‑site scripting flaw that permits a malicious actor who has permission to create custom benchmarks to insert malicious script into the benchmark data. When that stored script is rendered in the operations console, the attacker can run arbitrary JavaScript in the context of the application, enabling unauthorized administrative actions. This weakness, a classic stored XSS (CWE‑79), threatens the integrity of the system and could lead to unauthorized configuration changes or privilege escalation within the Aria Operations platform.

Affected Systems

The vulnerability affects several VMware products: VMware Aria Operations, VMware Cloud Foundation Operations, VMware Telco Cloud Infrastructure, and VMware Telco Cloud Platform. Versions lacking the security update are at risk; specifically, any Aria Operations installation before 8.18.6 and any Cloud Foundation Operations installation before 9.0.2.0 are vulnerable.

Risk and Exploitability

CVSS v3.1 analyses place the severity at 8.0, indicating a high risk of exploitation. However, the EPSS score is below 1%, implying that the likelihood of active exploitation remains low. The vulnerability is not listed in CISA's KEV catalog. An attacker must possess the capability to create custom benchmarks, meaning the threat primarily targets users with elevated privileges. Once privilege to create benchmarks is present, the stored XSS can be leveraged to perform administrative actions within the affected VMware platform.

Generated by OpenCVE AI on April 15, 2026 at 15:11 UTC.

Remediation

Vendor Solution

Apply the vendor patches listed in the 'Fixed Version' column of the Response Matrix of  VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 . Fixed versions include VMware Aria Operations 8.18.6 (for 8.x) and VMware Cloud Foundation Operations 9.0.2.0 (for 9.x).

OpenCVE Recommended Actions

  • Apply the vendor patches for VMware Aria Operations 8.18.6 or newer and VMware Cloud Foundation Operations 9.0.2.0 or newer as listed in the VMSA-2026-0001 response matrix.
  • Limit or revoke privileges that allow users to create custom benchmarks until the vulnerability is patched, reducing the opportunity for malicious script injection.
  • If custom benchmark creation is required, enforce strict input validation and output encoding to prevent stored cross‑site scripting attacks.

Generated by OpenCVE AI on April 15, 2026 at 15:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vmware:aria_operations:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:telco_cloud_infrastructure:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:telco_cloud_platform:*:*:*:*:*:*:*:*

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware aria Operations
Vmware cloud Foundation
Vmware telco Cloud Infrastructure
Vmware telco Cloud Platform
Vendors & Products Vmware
Vmware aria Operations
Vmware cloud Foundation
Vmware telco Cloud Infrastructure
Vmware telco Cloud Platform

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able to inject script to perform administrative actions in VMware Aria Operations.  To remediate CVE-2026-22720, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' of  VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947https:// .
Title VMware Aria Operations stored cross-site scripting vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Vmware Aria Operations Cloud Foundation Telco Cloud Infrastructure Telco Cloud Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-14T10:40:29.059Z

Reserved: 2026-01-09T06:54:36.841Z

Link: CVE-2026-22720

cve-icon Vulnrichment

Updated: 2026-02-25T20:55:38.816Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T20:23:47.077

Modified: 2026-03-04T15:55:32.197

Link: CVE-2026-22720

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses