Description
VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations.
Published: 2026-06-08
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Attacker can inject malicious scripts through the UI of VMware Cloud Foundation Operations by creating policies, views, or text‑widgets. The stored cross‑site scripting flaw permits the injected code to run with the permissions of the logged‑in user, potentially allowing the attacker to perform privileged administrative actions such as modifying configurations or altering system settings.

Affected Systems

The vulnerability affects VMware Cloud Foundation Operations, VMware Aria Operations, and VMware Telco Cloud Platform. No specific version information is provided in the advisory.

Risk and Exploitability

The CVSS score of 8.0 categorizes this flaw as high severity. Because EPSS data is not available, the exact likelihood of exploitation is unknown, but the flaw is not currently listed in the CISA KEV catalog. Attackers would need legitimate privileges to create policies or widgets, so the attack vector is via privileged user interaction with the application UI. Once the malicious script executes, it can cause a range of administrative abuses depending on the privileges of the account in use.

Generated by OpenCVE AI on June 8, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest VMware Cloud Foundation Operations update that contains the fix for CVE‑2026‑41722
  • Revoke or limit the privileges that allow users to create policies, views, or text‑widgets unless they need them for their role
  • Implement input validation or sanitization on all UI fields that accept user‑supplied text to prevent script injection
  • Monitor application logs and user activity for signs of unauthorized script execution or administrative changes
  • If a patch is unavailable, disable or remove the affected UI components that accept user input until the fix is applied

Generated by OpenCVE AI on June 8, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware aria Operations
Vmware telco Cloud Platform
Vmware vcf Operations
Vendors & Products Vmware
Vmware aria Operations
Vmware telco Cloud Platform
Vmware vcf Operations

Mon, 08 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Mon, 08 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
Description VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations.
Title VMSA-2026-0004: VMware Cloud Foundation Operations updates address multiple vulnerabilities (CVE-2026-41722, CVE-2026-41723 and CVE-2026-41724)
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Vmware Aria Operations Telco Cloud Platform Vcf Operations
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T11:52:36.791Z

Reserved: 2026-04-22T06:21:37.021Z

Link: CVE-2026-41722

cve-icon Vulnrichment

Updated: 2026-06-08T10:31:58.844Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-08T09:16:30.363

Modified: 2026-06-09T13:16:36.127

Link: CVE-2026-41722

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:57:28Z

Weaknesses