Description
VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations.
Published: 2026-06-08
Score: 8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

VMware Cloud Foundation Operations suffers from stored cross‑site scripting. A threat actor who can create policies, views or text‑widgets can insert malicious script; when the script runs in the administrator's browser it can perform privileged actions. Based on the description, it is inferred that the flaw may allow an attacker with such privileges to override normal authorization checks and could lead to unauthorized configuration changes or data exposure.

Affected Systems

The affected products are VMware Cloud Foundation Operations, VMware Aria Operations, and VMware Telco Cloud Platform. No specific version numbers are listed in the advisory, so all current installations of these products should be considered vulnerable until a fix is applied.

Risk and Exploitability

With a CVSS score of 8, this vulnerability presents a high severity risk. The EPSS score is not available, and it is not listed in the CISA KEV catalog. Exploitation requires the attacker to possess the ability to create policies, views or text‑widgets – privileges that are typically granted only to administrators or users with elevated rights. Once the script is executed in the context of an authenticated user, it can trigger administrative actions without additional authentication.

Generated by OpenCVE AI on June 8, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided security patch or update to a version that addresses the stored XSS issue.
  • Restrict user privileges to limit who can create or edit policies, views or widgets, ensuring only trusted administrators have these capabilities.
  • Disable or remove the creation of text widgets or other user‑editable content if the feature is not required, as a temporary mitigation until a patch is installed.

Generated by OpenCVE AI on June 8, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Mon, 08 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
Description VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations.
Title VMSA-2026-0004: VMware Cloud Foundation Operations updates address multiple vulnerabilities (CVE-2026-41722, CVE-2026-41723 and CVE-2026-41724)
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-08T10:28:33.173Z

Reserved: 2026-04-22T06:21:39.014Z

Link: CVE-2026-41724

cve-icon Vulnrichment

Updated: 2026-06-08T10:28:27.032Z

cve-icon NVD

Status : Received

Published: 2026-06-08T09:16:30.693

Modified: 2026-06-08T09:16:30.693

Link: CVE-2026-41724

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T10:00:13Z

Weaknesses