Introduction
A trio of stored cross-site scripting vulnerabilities in VMware Cloud Foundation Operations allows any authenticated user with the ability to create policies, views, or text widgets to inject persistent scripts that execute with full administrative privileges when an admin views the compromised content. For organizations running VMware's operations management stack, which spans five distinct product lines and underpins the monitoring and management of their entire virtualized infrastructure, this represents a practical privilege escalation path from a low privileged account to complete administrative control.
CVE-2026-41724 is the third of three related flaws disclosed in Broadcom's VMSA-2026-0004 advisory on June 8, 2026, and it specifically targets the text widget creation flow. All three CVEs carry a CVSS 3.1 base score of 8.0 (High), and notably, no workarounds are available for any of them.
Technical Information
Root Cause: Missing Input Sanitization Across Content Creation Interfaces
CVE-2026-41724 is classified as a stored cross-site scripting vulnerability, mapping to CWE-79 (Improper Neutralization of Input During Web Page Generation). The root cause is a failure to properly sanitize and encode user supplied input in the text widget creation flow of VMware Cloud Foundation Operations. When a user creates a text widget, the application stores the content as provided without neutralizing embedded script payloads. When that content is later rendered in another user's browser, typically an administrator reviewing dashboards or operational views, the injected script executes in the context of their authenticated session.
The CVSS v3.1 vector string is AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, which breaks down as follows:
| CVSS Component | Value | Meaning |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over the network |
| Attack Complexity (AC) | Low | No specialized conditions required |
| Privileges Required (PR) | Low | Attacker needs only low level authenticated access |
| User Interaction (UI) | Required | An admin must view the compromised content |
| Scope (S) | Unchanged | Impact confined to the vulnerable component |
| Confidentiality (C) | High | Complete information disclosure possible |
| Integrity (I) | High | Complete system integrity compromise possible |
| Availability (A) | High | Complete system availability disruption possible |
Three Injection Surfaces, One Systemic Weakness
VMSA-2026-0004 bundles three distinct CVEs, each targeting a different content creation interface within the same product:
| CVE ID | CVSS | Injection Point |
|---|---|---|
| CVE-2026-41722 | 8.0 | Stored XSS via policy creation |
| CVE-2026-41723 | 8.0 | Stored XSS via view creation |
| CVE-2026-41724 | 8.0 | Stored XSS via text widget creation |
The fact that three separate injection surfaces share the same class of vulnerability indicates that VMware Cloud Foundation Operations lacked consistent input sanitization across its content creation features. This is not a single isolated coding error but rather a systemic gap in how user supplied content is handled before storage and rendering.
Attack Flow
The exploitation chain for CVE-2026-41724 proceeds as follows:
-
Initial Access: The attacker authenticates to VMware Cloud Foundation Operations with a low privileged account that has permissions to create text widgets. This is a common permission granted to operations team members who build and customize dashboards.
-
Payload Injection: The attacker creates or modifies a text widget, embedding malicious JavaScript in the widget content. Because the application does not sanitize or encode the input, the script is stored verbatim in the backend.
-
Persistence: The malicious script is now persistently stored on the server. Unlike reflected XSS, which requires the victim to click a crafted link, stored XSS payloads survive indefinitely and execute every time the compromised content is rendered.
-
Trigger: A legitimate administrator navigates to a dashboard or view that includes the compromised text widget. The application renders the widget content, including the injected script, in the administrator's browser.
-
Execution with Elevated Privileges: The injected JavaScript executes within the administrator's authenticated browser session. Because the administrator holds full administrative privileges in VCF Operations, the script can perform arbitrary administrative actions: creating new admin accounts, modifying monitoring policies, exfiltrating configuration data, or disabling security controls.
The critical aspect of this attack is the privilege differential. The attacker only needs low level access to inject the payload, but the impact is realized at the privilege level of whoever views the content. In an operations management tool, that viewer is almost always an administrator.
Credit
Broadcom credited Alexis Bernazzani of Visa Inc. for reporting these vulnerabilities, indicating responsible disclosure from a major financial institution's security team.
Patch Information
Broadcom published security advisory VMSA-2026-0004 on June 8, 2026, delivering patches for CVE-2026-41724 alongside its sibling stored XSS flaws CVE-2026-41722 and CVE-2026-41723. Because these are stored XSS vulnerabilities, the patch addresses the underlying failure to properly sanitize and encode user supplied input in the policy, view, and text widget creation flows. By correcting input validation and output encoding at these injection points, the update ensures that injected script payloads are rendered as inert text rather than executable code within an administrator's browser session.
No workarounds exist. Applying the vendor supplied fixed versions is the only remediation path.
The Response Matrix in the advisory deserves careful attention because the fixed version differs depending on which product line you are running, and not every fixed version covers CVE-2026-41724 specifically:
| Product / Component | Affected Version | Fixed Version | CVEs Covered |
|---|---|---|---|
| VMware Cloud Foundation / vSphere Foundation (VCF Operations) | 9.1.x.x | 9.1.0.0 | CVE-2026-41722, CVE-2026-41723 |
| VMware Cloud Foundation / vSphere Foundation (VCF Operations) | 9.0.x.x | 9.0.2.0 EP2 | CVE-2026-41722, CVE-2026-41723 |
| VMware Aria Operations (standalone) | 8.x | 8.18.6 | CVE-2026-41722, CVE-2026-41723 |
| VMware Aria Operations (standalone) | 8.x | 8.18.7 | CVE-2026-41722, CVE-2026-41723, CVE-2026-41724 |
| VMware Cloud Foundation 5.x (Aria Operations component) | 5.x | 8.18.7 | CVE-2026-41722, CVE-2026-41723, CVE-2026-41724 |
| VMware Telco Cloud Platform 5.x (Aria Operations component) | 5.x | KB443138 | CVE-2026-41722, CVE-2026-41723, CVE-2026-41724 |
There is a critical nuance here that administrators should not overlook: if you are running VMware Aria Operations 8.x (standalone or bundled with VCF 5.x or Telco Cloud Platform 5.x), you must upgrade to version 8.18.7 to fully remediate CVE-2026-41724. Version 8.18.6 only covers CVE-2026-41722 and CVE-2026-41723. Upgrading to 8.18.6 alone leaves CVE-2026-41724 unpatched. For VCF Operations 9.x environments, CVE-2026-41724 coverage is handled in the 9.1.0.0 and 9.0.2.0 EP2 builds alongside the other two CVEs.
Defense in Depth Measures
While patching is the definitive fix, the following measures can reduce the likelihood of exploitation during the patching window:
- Restrict text widget, policy, and view creation privileges to only essential personnel. Since the attack requires these specific permissions, limiting the pool of users who hold them directly reduces the attack surface.
- Enable Content Security Policy (CSP) in VMware Aria Operations. Broadcom documents CSP support in the product specifically to mitigate this class of vulnerability. Properly configured CSP can restrict script execution contexts and limit the impact of injected payloads.
- Monitor administrative action logs for anomalous text widget, policy, or view modifications from low privileged accounts, which could indicate exploitation attempts.
Affected Systems and Versions
The vulnerability impacts the following products and version ranges:
- VMware Cloud Foundation Operations versions 9.1.x.x (prior to 9.1.0.0)
- VMware Cloud Foundation Operations versions 9.0.x.x (prior to 9.0.2.0 EP2)
- VMware Aria Operations (standalone) version 8.x (prior to 8.18.7)
- VMware Cloud Foundation 5.x with embedded Aria Operations component (prior to Aria Operations 8.18.7)
- VMware vSphere Foundation with VCF Operations component (versions 9.0.x.x and 9.1.x.x, prior to the fixed builds listed above)
- VMware Telco Cloud Platform 5.x with embedded Aria Operations component (prior to the fix documented in KB443138)
This is a broad product surface area. VMware Cloud Foundation is deployed by a significant portion of VMware's approximately 500,000 enterprise customers worldwide, and VCF Operations / Aria Operations serves as the centralized monitoring and management plane for these environments.
Vendor Security History
The VMware Aria Operations and VCF Operations product family has a documented pattern of recurring stored XSS vulnerabilities:
| Advisory / Date | CVEs | CVSS | Vulnerability Type |
|---|---|---|---|
| VMSA-2024-0025 (November 2024) | CVE-2024-38832 | 7.1 | Stored XSS via "views" editing in Aria Operations |
| VMSA-2025-0003 (January 2025) | CVE-2025-22220 | Not specified | Stored XSS in Aria Operations for Logs |
| VMSA-2026-0001 (Early 2026) | CVE-2026-22719, 22720, 22721 | Not specified | Multiple vulnerabilities in Aria Operations |
| VMSA-2026-0004 (June 2026) | CVE-2026-41722, 41723, 41724 | 8.0 each | Stored XSS via policies, views, text widgets |
This is the third stored XSS advisory affecting the same product family in under two years. Each advisory has addressed the specific injection points reported, but new injection surfaces have continued to emerge. The pattern suggests that Broadcom has been addressing XSS reactively, fixing each reported injection point individually rather than implementing a product wide input sanitization framework.
A separate but relevant concern: in October 2025, SecurityWeek reported that Broadcom failed to disclose that a previously patched VMware vulnerability had been exploited as a zero day by Chinese state linked actors since mid October 2024. The flaw was exploited in the wild for approximately a year before it was patched, and Broadcom did not inform customers about the active exploitation at the time of patch release. This incident raises questions about the completeness of Broadcom's vulnerability communications and whether the absence of reported exploitation for CVE-2026-41724 can be taken at face value.
As of the June 8, 2026 disclosure date, no active exploitation of CVE-2026-41724 has been reported in public sources. The NVD record remains in "Received" status with no independent CVSS assessment yet provided, meaning the CVSS 8.0 score is vendor assigned and may be revised.
References
- CVE-2026-41724 Detail, NVD
- VMSA-2026-0004, Broadcom Security Advisory
- Broadcom Fixes Critical VMware Stored XSS Bugs, SecurityOnline
- Multiple VMware Stored XSS Vulnerabilities Allow Administrative Actions, CybersecurityNews
- CVE-2026-41724, CVEFeed.io
- VMware Cloud Foundation Security Vulnerabilities in 2026, Stack.Watch
- Content Security Policy in VMware Aria Operations, Broadcom Knowledge Base
- Broadcom Fails to Disclose Zero Day Exploitation of VMware Vulnerability, SecurityWeek
- VMware Fixed Five Vulnerabilities in Aria Operations Product, SecurityAffairs
- VMware Patches Multiple Vulnerabilities, SecPod
- VMware Security Advisories, Broadcom
- VMSA-2026-0001, Broadcom Security Advisory



