ZeroPath at Black Hat USA 2026

VMware Cloud Foundation Operations CVE-2026-41723: Overview of Stored XSS Enabling Administrative Hijacking

A brief summary of CVE-2026-41723, a stored cross-site scripting vulnerability in VMware Cloud Foundation Operations that allows low-privileged users to inject persistent scripts and hijack administrative sessions. Includes patch information and affected version details.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-08

VMware Cloud Foundation Operations CVE-2026-41723: Overview of Stored XSS Enabling Administrative Hijacking
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Three stored cross-site scripting vulnerabilities in VMware Cloud Foundation Operations, disclosed together in VMSA-2026-0004, allow a low-privileged authenticated user to inject persistent scripts that execute administrative actions when viewed by higher-privileged users. CVE-2026-41723 is one of this trio, and it lands in a product family that has already seen active exploitation of a related command injection flaw (CVE-2026-22719) within 30 days of disclosure earlier this year, making the urgency of patching concrete rather than theoretical.

Technical Information

Root Cause: Insufficient Input Sanitization

CVE-2026-41723 is a stored cross-site scripting vulnerability rooted in the failure of VMware Cloud Foundation Operations to properly sanitize user-supplied input across three distinct creation workflows: policies, views, and text-widgets. When an authenticated user with privileges to create any of these elements submits content containing JavaScript, the application stores the payload without adequate encoding or filtering. The malicious content is then rendered verbatim in the browser of any subsequent user who views the affected dashboard element.

The CVSSv3.1 vector string is AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, producing a base score of 8.0. The decomposition tells a clear story about the attack surface:

CVSS ComponentValueImplication
Attack VectorNetwork (AV:N)Exploitable remotely over the network
Attack ComplexityLow (AC:L)No specialized conditions required
Privileges RequiredLow (PR:L)Attacker needs only basic policy/widget creation rights
User InteractionRequired (UI:R)Victim must access the compromised dashboard element
ScopeUnchanged (S:U)Impact confined to the vulnerable component
ConfidentialityHigh (C:H)Full access to sensitive data possible
IntegrityHigh (I:H)Data modification at administrative level possible
AvailabilityHigh (A:H)Service disruption achievable

Why Stored XSS Matters Here

The "stored" classification is what elevates this from a nuisance to a serious threat. Unlike reflected XSS, the malicious payload persists in the application database. Every user who views the affected policy, view, or text-widget triggers the script execution. This persistence transforms a single injection into a sustained attack vector capable of hijacking administrative sessions across multiple victims without requiring repeated attacker interaction.

Attack Flow

A realistic exploitation chain proceeds through the following steps:

  1. Initial injection: A low-privileged operator (or a compromised account with operator-level access) creates a policy, view, or text-widget containing embedded JavaScript. The payload is accepted and stored because input validation is insufficient.

  2. Trigger via normal operations: An administrator accesses the dashboard containing the poisoned element as part of their routine workflow. The user interaction requirement (UI:R) is satisfied by normal dashboard viewing; no social engineering beyond standard operations is needed.

  3. Script execution in admin context: The injected script executes in the administrator's browser with their session token and full session privileges.

  4. Administrative action abuse: The script can perform any administrative action available through the VCF Operations web interface. This includes modifying cloud infrastructure configurations, accessing sensitive operational data, creating new administrative accounts, or planting additional persistent backdoors in other dashboard elements.

  5. Lateral persistence: Because the attacker can create additional poisoned widgets or policies using the hijacked admin session, the attack can propagate across the management interface, establishing multiple persistence points.

Three Sibling Vulnerabilities

CVE-2026-41723 is one of three stored XSS flaws disclosed in VMSA-2026-0004. All three share identical CVSS vectors and descriptions, differing in the specific injection point:

CVE IDCVSSFixed in Aria Operations
CVE-2026-417228.08.18.6 and 8.18.7
CVE-2026-417238.08.18.6 and 8.18.7
CVE-2026-417248.08.18.7 only

The presence of three distinct injection points with identical characteristics in a single advisory strongly suggests a systemic input sanitization deficiency rather than isolated coding errors. This is further reinforced by the fact that VMSA-2026-0001, published just four months earlier in February 2026, addressed CVE-2026-22720, another stored XSS flaw in the same product family that allowed script injection through custom benchmark definitions.

Convergence of Risk Factors

The significance of CVE-2026-41723 extends beyond its standalone CVSS score due to three converging factors. First, the systemic XSS prevalence across two advisories in four months indicates a codebase-wide sanitization problem, meaning additional undiscovered XSS vectors likely exist. Second, the Aria/VCF Operations stack is a confirmed active target, with CVE-2026-22719 achieving CISA KEV status within 30 days of disclosure. Third, VCF Operations manages the entire virtualized infrastructure layer, so administrative actions compromised through XSS can affect VM deployment, network configuration, and storage allocation across the enterprise.

Patch Information

Broadcom addressed CVE-2026-41723 on June 8, 2026, through security advisory VMSA-2026-0004, which bundles fixes for all three related stored XSS vulnerabilities. Broadcom confirmed there are no workarounds for this flaw. Applying the vendor-supplied update is the sole remediation path.

The fix sanitizes user-supplied input in policy, view, and text-widget creation workflows so that injected script payloads are no longer stored or rendered.

The complete remediation matrix:

ProductAffected VersionsFixed VersionNotes
VCF Operations9.1.x.x9.1.0.0Full fix for all three CVEs
VCF Operations9.0.x.x9.0.2.0 EP2Full fix for all three CVEs
VMware Aria Operations8.x8.18.6Partial: CVE-2026-41722 and CVE-2026-41723 only
VMware Aria Operations8.x8.18.7Full fix for all three CVEs
VMware Cloud Foundation 5.x5.xAria Operations 8.18.7Component level fix
VMware Telco Cloud Platform 5.x5.xPer KB443138Broadcom KB article

A critical nuance: VMware Aria Operations version 8.18.6 remediates CVE-2026-41723 and CVE-2026-41722, but does not address CVE-2026-41724. Only version 8.18.7 covers all three CVEs. Organizations running the standalone Aria Operations product should upgrade directly to 8.18.7 to close all three issues in a single update cycle.

Downloads for each fixed release are available through the Broadcom Support Portal.

Interim Risk Reduction

While patching is the only complete fix, the following measures reduce the attack surface based on the documented prerequisites:

  • Restrict creation privileges: Limit policy, view, and text-widget creation to the minimum set of essential administrative roles. This directly reduces the pool of accounts that could be used for injection.
  • Monitor dashboard modifications: Review administrative dashboard access and modification logs for anomalous content, particularly unexpected JavaScript or HTML tags in policies, views, or text-widgets.
  • Deploy WAF rules: Configure web application firewall rules to detect common XSS payload patterns in HTTP requests targeting VCF Operations endpoints, though this provides only partial coverage against evasion techniques.
  • Enforce CSP headers: If the deployment architecture permits, enforce Content Security Policy headers on VCF Operations web interfaces to limit script execution contexts.

Affected Systems and Versions

The following products and version ranges are confirmed affected:

  • VMware Cloud Foundation Operations (VCF Operations) versions 9.1.x.x and 9.0.x.x
  • VMware Aria Operations version 8.x (all 8.x releases prior to 8.18.6 for CVE-2026-41723 specifically; prior to 8.18.7 for complete coverage of all three sibling CVEs)
  • VMware Cloud Foundation version 5.x (via the Aria Operations component)
  • VMware vSphere Foundation (via the VCF Operations component)
  • VMware Telco Cloud Platform version 5.x (via the Aria Operations component)

Any environment running these products with users who have privileges to create policies, views, or text-widgets is vulnerable.

Vendor Security History

Broadcom's VMware product line has experienced a sustained pattern of critical vulnerabilities over the past 18 months:

TimelineAdvisoryKey CVEsSeverityExploitation Status
March 2025VMSA-2025-0004CVE-2025-22224, CVE-2025-22225, CVE-2025-22226CriticalActively exploited zero-days; added to CISA KEV
February 2026VMSA-2026-0001CVE-2026-22719 (RCE), CVE-2026-22720 (XSS), CVE-2026-22721 (privesc)CVSS 8.1, 8.0, 7.8CVE-2026-22719 actively exploited; CISA KEV March 2026
June 2026VMSA-2026-0004CVE-2026-41722, CVE-2026-41723, CVE-2026-41724CVSS 8.0 eachNo confirmed exploitation as of publication

The March 2025 zero-days were reported by Microsoft Threat Intelligence Center and involved a TOCTOU race condition (CVE-2025-22224) that could allow attackers with administrative access to seize hypervisor control and break out of guest OS sandboxes.

The recurrence of stored XSS in the same product family across VMSA-2026-0001 and VMSA-2026-0004 (four months apart) signals a systemic input sanitization deficiency rather than isolated bugs. Organizations should consider conducting a code-level audit of all user-input rendering paths in VCF Operations beyond the three patched locations.

Broadcom's security disclosure practices have also drawn scrutiny. Security researchers have noted that Broadcom failed to adequately disclose the scope of active exploitation in a timely manner for prior VMware zero-days, leading to recommendations that organizations supplement Broadcom advisories with independent threat intelligence sources and CISA KEV monitoring.

The three CVEs in VMSA-2026-0004 were privately reported by Alexis Bernazzani of Visa Inc., following responsible disclosure practices.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization