CVE-2026-41722: Stored XSS in VMware Cloud Foundation Operations – Privilege-Based Impact
VMware Cloud Foundation Operations contains multiple stored cross-site scripting (XSS) vulnerabilities that allow authenticated attackers with policy creation, view, or text-widget privileges to inject malicious scripts. These scripts execute in the context of administrative actions within VMware Cloud Foundation Operations, potentially allowing attackers to perform unauthorized administrative operations. The vulnerability requires user interaction (such as an administrator viewing a malicious policy or widget) but can have significant impact once triggered.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.0 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-79
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability chain involves stored XSS flaws (CWE-79) in VMware Cloud Foundation Operations components. An authenticated actor with sufficient privileges can inject JavaScript into policies, views, or text-widget configurations. When other users—particularly administrators—access these contaminated resources, the injected scripts execute in their browser session with their privileges. The CVSS 3.1 score of 8.0 (HIGH) reflects the network-accessible attack vector, low attack complexity, required but common privileges (authenticated user with policy/view creation rights), and high impact across confidentiality, integrity, and availability of the targeted application.
Business impact
Successful exploitation could allow attackers to perform administrative actions without explicit consent, potentially including account creation, policy modification, or data exfiltration. Because the vulnerability requires privilege to create policies or widgets but allows lateral impact on higher-privileged users, it poses a significant risk in multi-user environments where developers, operators, or less-privileged admins may craft malicious configurations that affect platform administrators. This can lead to unauthorized changes to cloud infrastructure configurations, compliance violations, and operational disruption.
Affected systems
The vulnerability affects multiple VMware product lines: VMware Aria Operations, VMware Cloud Foundation (multiple versions), VMware Telco Cloud Platform, and VMware vSphere. Organizations running any of these products should determine which versions they operate and whether those versions contain the vulnerability. Consult VMware's security advisory for specific version ranges and affected builds.
Exploitability
Exploitation requires authentication and the ability to create policies, views, or text-widgets—capabilities typically granted to operators and mid-tier administrators but not all users. The attack also requires user interaction: a target must view or interact with the malicious content. However, given that viewing dashboards and policies is routine administrative activity, and that attackers with moderate privileges can craft convincing payloads, the practical barrier to exploitation is moderate rather than high. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog.
Remediation
Apply vendor patches provided by VMware for the affected product versions. Patch availability and version numbers should be verified directly from VMware's security advisory. Until patches are deployed, restrict policy and widget creation privileges to trusted personnel, monitor for suspicious script injection patterns in configuration audit logs, and educate administrators to be cautious when viewing policies or widgets from untrusted sources.
Patch guidance
Consult the VMware security advisory corresponding to CVE-2026-41722 for specific patch version numbers for each affected product line. Patches are expected for Aria Operations, Cloud Foundation, Telco Cloud Platform, and vSphere. Test patches in a non-production environment first, particularly for Cloud Foundation and vSphere where incorrect updates can impact infrastructure stability. Coordinate patching across dependent systems to minimize service disruption.
Detection guidance
Monitor audit logs for privilege escalation or administrative actions performed by low-privileged accounts after they accessed policies or views. Look for script tags, event handlers, or encoded JavaScript in policy and widget configuration data. Web application firewalls and content security policy (CSP) headers can help detect or block execution of injected scripts. Review policy and widget creation logs for users creating objects with suspicious or obfuscated content. Correlate administrative action logs with policy view access to identify potentially malicious interactions.
Why prioritize this
This vulnerability merits prompt but measured attention. The HIGH CVSS score reflects significant potential impact, but the requirement for authentication and user interaction limits attack surface in well-segmented environments. Priority should be elevated if your organization grants policy creation rights to contractors, has a large administrative team, or uses Aria Operations or Cloud Foundation as central infrastructure-as-code repositories. Organizations with strict role-based access control and logging can deprioritize slightly pending vendor patch availability.
Risk score, explained
The CVSS 3.1 score of 8.0 (HIGH) balances multiple factors: network accessibility (AV:N) and low attack complexity (AC:L) favor attackers, but the requirement for authentication (PR:L) and user interaction (UI:R) reduce risk. The impact vector (C:H/I:H/A:H) reflects that successful exploitation can compromise confidentiality, integrity, and availability of the target application. Scope is unchanged (S:U), meaning impact is limited to VMware Cloud Foundation Operations itself rather than other systems—a moderating factor that keeps the score in the HIGH rather than CRITICAL range.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. The vulnerability requires the attacker to have valid authentication credentials and sufficient privileges to create policies, views, or text-widgets. Unauthenticated users cannot inject the malicious scripts.
Does this affect my vSphere deployment if I don't use Aria Operations or Cloud Foundation?
vSphere is listed as affected, so if you run vSphere environments check the vendor advisory to determine which versions are vulnerable. Aria Operations is a separate product often used for vSphere monitoring, but the vulnerability also has a separate impact on vSphere itself in certain configurations.
What if we have strict change control and no one creates policies except our platform team?
Your risk is significantly reduced because the attacker must first obtain credentials and privilege to create policies. However, insider threats and compromised platform team credentials remain a concern. Continue monitoring audit logs and consider additional controls such as mandatory approval workflows for policy changes.
Is there a workaround if we cannot patch immediately?
Until patches are available, restrict policy and text-widget creation privileges to a minimal, trusted set of administrators. Implement content-based filtering on configuration storage if possible, and enhance monitoring of administrative actions. However, patching remains the primary remediation path once available from VMware.
This analysis is provided for informational purposes and does not constitute professional security advice. Organizations should verify all findings, patch version numbers, and affected product versions against official VMware security advisories before taking remediation actions. SEC.co does not guarantee the accuracy, completeness, or currency of this information and recommends consultation with VMware support and your internal security team. Exploitation status may change as new information emerges; subscribe to vendor notifications for timely updates. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-41723HIGHVMware Cloud Foundation Operations Stored XSS Vulnerability (CVSS 8.0)
- CVE-2026-41724HIGHVMware Cloud Foundation Stored XSS Vulnerability
- CVE-2026-41845HIGHSpring Framework JavaScriptUtils XSS Vulnerability
- CVE-2026-41846MEDIUMSpring Framework JSP Form Tag XSS Vulnerability – Patch Guidance
- CVE-2023-54351HIGHStored XSS in WordPress Sonaar Music Plugin 4.7 – Patch & Detection Guide
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)