Introduction
Three stored cross-site scripting vulnerabilities in VMware Cloud Foundation Operations, disclosed together in VMSA-2026-0004, allow a low-privileged authenticated user to inject persistent scripts that execute administrative actions when viewed by higher-privileged users. CVE-2026-41723 is one of this trio, and it lands in a product family that has already seen active exploitation of a related command injection flaw (CVE-2026-22719) within 30 days of disclosure earlier this year, making the urgency of patching concrete rather than theoretical.
Technical Information
Root Cause: Insufficient Input Sanitization
CVE-2026-41723 is a stored cross-site scripting vulnerability rooted in the failure of VMware Cloud Foundation Operations to properly sanitize user-supplied input across three distinct creation workflows: policies, views, and text-widgets. When an authenticated user with privileges to create any of these elements submits content containing JavaScript, the application stores the payload without adequate encoding or filtering. The malicious content is then rendered verbatim in the browser of any subsequent user who views the affected dashboard element.
The CVSSv3.1 vector string is AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, producing a base score of 8.0. The decomposition tells a clear story about the attack surface:
| CVSS Component | Value | Implication |
|---|---|---|
| Attack Vector | Network (AV:N) | Exploitable remotely over the network |
| Attack Complexity | Low (AC:L) | No specialized conditions required |
| Privileges Required | Low (PR:L) | Attacker needs only basic policy/widget creation rights |
| User Interaction | Required (UI:R) | Victim must access the compromised dashboard element |
| Scope | Unchanged (S:U) | Impact confined to the vulnerable component |
| Confidentiality | High (C:H) | Full access to sensitive data possible |
| Integrity | High (I:H) | Data modification at administrative level possible |
| Availability | High (A:H) | Service disruption achievable |
Why Stored XSS Matters Here
The "stored" classification is what elevates this from a nuisance to a serious threat. Unlike reflected XSS, the malicious payload persists in the application database. Every user who views the affected policy, view, or text-widget triggers the script execution. This persistence transforms a single injection into a sustained attack vector capable of hijacking administrative sessions across multiple victims without requiring repeated attacker interaction.
Attack Flow
A realistic exploitation chain proceeds through the following steps:
-
Initial injection: A low-privileged operator (or a compromised account with operator-level access) creates a policy, view, or text-widget containing embedded JavaScript. The payload is accepted and stored because input validation is insufficient.
-
Trigger via normal operations: An administrator accesses the dashboard containing the poisoned element as part of their routine workflow. The user interaction requirement (UI:R) is satisfied by normal dashboard viewing; no social engineering beyond standard operations is needed.
-
Script execution in admin context: The injected script executes in the administrator's browser with their session token and full session privileges.
-
Administrative action abuse: The script can perform any administrative action available through the VCF Operations web interface. This includes modifying cloud infrastructure configurations, accessing sensitive operational data, creating new administrative accounts, or planting additional persistent backdoors in other dashboard elements.
-
Lateral persistence: Because the attacker can create additional poisoned widgets or policies using the hijacked admin session, the attack can propagate across the management interface, establishing multiple persistence points.
Three Sibling Vulnerabilities
CVE-2026-41723 is one of three stored XSS flaws disclosed in VMSA-2026-0004. All three share identical CVSS vectors and descriptions, differing in the specific injection point:
| CVE ID | CVSS | Fixed in Aria Operations |
|---|---|---|
| CVE-2026-41722 | 8.0 | 8.18.6 and 8.18.7 |
| CVE-2026-41723 | 8.0 | 8.18.6 and 8.18.7 |
| CVE-2026-41724 | 8.0 | 8.18.7 only |
The presence of three distinct injection points with identical characteristics in a single advisory strongly suggests a systemic input sanitization deficiency rather than isolated coding errors. This is further reinforced by the fact that VMSA-2026-0001, published just four months earlier in February 2026, addressed CVE-2026-22720, another stored XSS flaw in the same product family that allowed script injection through custom benchmark definitions.
Convergence of Risk Factors
The significance of CVE-2026-41723 extends beyond its standalone CVSS score due to three converging factors. First, the systemic XSS prevalence across two advisories in four months indicates a codebase-wide sanitization problem, meaning additional undiscovered XSS vectors likely exist. Second, the Aria/VCF Operations stack is a confirmed active target, with CVE-2026-22719 achieving CISA KEV status within 30 days of disclosure. Third, VCF Operations manages the entire virtualized infrastructure layer, so administrative actions compromised through XSS can affect VM deployment, network configuration, and storage allocation across the enterprise.
Patch Information
Broadcom addressed CVE-2026-41723 on June 8, 2026, through security advisory VMSA-2026-0004, which bundles fixes for all three related stored XSS vulnerabilities. Broadcom confirmed there are no workarounds for this flaw. Applying the vendor-supplied update is the sole remediation path.
The fix sanitizes user-supplied input in policy, view, and text-widget creation workflows so that injected script payloads are no longer stored or rendered.
The complete remediation matrix:
| Product | Affected Versions | Fixed Version | Notes |
|---|---|---|---|
| VCF Operations | 9.1.x.x | 9.1.0.0 | Full fix for all three CVEs |
| VCF Operations | 9.0.x.x | 9.0.2.0 EP2 | Full fix for all three CVEs |
| VMware Aria Operations | 8.x | 8.18.6 | Partial: CVE-2026-41722 and CVE-2026-41723 only |
| VMware Aria Operations | 8.x | 8.18.7 | Full fix for all three CVEs |
| VMware Cloud Foundation 5.x | 5.x | Aria Operations 8.18.7 | Component level fix |
| VMware Telco Cloud Platform 5.x | 5.x | Per KB443138 | Broadcom KB article |
A critical nuance: VMware Aria Operations version 8.18.6 remediates CVE-2026-41723 and CVE-2026-41722, but does not address CVE-2026-41724. Only version 8.18.7 covers all three CVEs. Organizations running the standalone Aria Operations product should upgrade directly to 8.18.7 to close all three issues in a single update cycle.
Downloads for each fixed release are available through the Broadcom Support Portal.
Interim Risk Reduction
While patching is the only complete fix, the following measures reduce the attack surface based on the documented prerequisites:
- Restrict creation privileges: Limit policy, view, and text-widget creation to the minimum set of essential administrative roles. This directly reduces the pool of accounts that could be used for injection.
- Monitor dashboard modifications: Review administrative dashboard access and modification logs for anomalous content, particularly unexpected JavaScript or HTML tags in policies, views, or text-widgets.
- Deploy WAF rules: Configure web application firewall rules to detect common XSS payload patterns in HTTP requests targeting VCF Operations endpoints, though this provides only partial coverage against evasion techniques.
- Enforce CSP headers: If the deployment architecture permits, enforce Content Security Policy headers on VCF Operations web interfaces to limit script execution contexts.
Affected Systems and Versions
The following products and version ranges are confirmed affected:
- VMware Cloud Foundation Operations (VCF Operations) versions 9.1.x.x and 9.0.x.x
- VMware Aria Operations version 8.x (all 8.x releases prior to 8.18.6 for CVE-2026-41723 specifically; prior to 8.18.7 for complete coverage of all three sibling CVEs)
- VMware Cloud Foundation version 5.x (via the Aria Operations component)
- VMware vSphere Foundation (via the VCF Operations component)
- VMware Telco Cloud Platform version 5.x (via the Aria Operations component)
Any environment running these products with users who have privileges to create policies, views, or text-widgets is vulnerable.
Vendor Security History
Broadcom's VMware product line has experienced a sustained pattern of critical vulnerabilities over the past 18 months:
| Timeline | Advisory | Key CVEs | Severity | Exploitation Status |
|---|---|---|---|---|
| March 2025 | VMSA-2025-0004 | CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 | Critical | Actively exploited zero-days; added to CISA KEV |
| February 2026 | VMSA-2026-0001 | CVE-2026-22719 (RCE), CVE-2026-22720 (XSS), CVE-2026-22721 (privesc) | CVSS 8.1, 8.0, 7.8 | CVE-2026-22719 actively exploited; CISA KEV March 2026 |
| June 2026 | VMSA-2026-0004 | CVE-2026-41722, CVE-2026-41723, CVE-2026-41724 | CVSS 8.0 each | No confirmed exploitation as of publication |
The March 2025 zero-days were reported by Microsoft Threat Intelligence Center and involved a TOCTOU race condition (CVE-2025-22224) that could allow attackers with administrative access to seize hypervisor control and break out of guest OS sandboxes.
The recurrence of stored XSS in the same product family across VMSA-2026-0001 and VMSA-2026-0004 (four months apart) signals a systemic input sanitization deficiency rather than isolated bugs. Organizations should consider conducting a code-level audit of all user-input rendering paths in VCF Operations beyond the three patched locations.
Broadcom's security disclosure practices have also drawn scrutiny. Security researchers have noted that Broadcom failed to adequately disclose the scope of active exploitation in a timely manner for prior VMware zero-days, leading to recommendations that organizations supplement Broadcom advisories with independent threat intelligence sources and CISA KEV monitoring.
The three CVEs in VMSA-2026-0004 were privately reported by Alexis Bernazzani of Visa Inc., following responsible disclosure practices.
References
- NVD: CVE-2026-41723
- Broadcom VMSA-2026-0004 Security Advisory
- Broadcom Fixes Critical VMware Stored XSS Bugs (SecurityOnline)
- Broadcom VMSA-2026-0001 Security Advisory
- VMware Aria Operations RCE (CVE-2026-22719) Analysis (OP Innovate)
- CISA Adds Actively Exploited VMware Aria Operations Flaw to KEV Catalog (The Hacker News)
- CISA Adds Actively Exploited VMware Aria Operations Flaw CVE-2026-22719 (KSEC Forum)
- VMware Cloud Foundation Security Vulnerabilities in 2026 (Stack.Watch)
- VMSA-2026-0004 Analysis (Canberkki)
- VMware Cloud Foundation Overview (Broadcom TechDocs)
- Broadcom Urges Customers to Patch 3 Zero-Day VMware Flaws (Cybersecurity Dive)
- Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability (SecurityWeek)
- VMware Security Advisories (Broadcom)
- Security Advisory: VMware Aria Operations Vulnerabilities (SecPod)



