HIGH 8.0

CVE-2026-41724: VMware Cloud Foundation Stored XSS Vulnerability

VMware Cloud Foundation Operations contains multiple stored cross-site scripting (XSS) vulnerabilities that allow authenticated users with policy, view, or text-widget creation privileges to inject malicious scripts. These scripts execute in the context of administrative sessions, potentially enabling attackers to perform unauthorized administrative actions without additional authentication. The vulnerability requires both authentication and user interaction (clicking a link or visiting a crafted page), but once triggered, grants full administrative capability within the affected platform.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.0 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-79
Affected products
3 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is a stored XSS flaw (CWE-79) in VMware Cloud Foundation Operations that persists malicious JavaScript payloads within policies, views, or text-widget configurations. When an administrative user accesses these components, the injected script executes with the privileges of that user. The attack vector is network-accessible, requires low complexity for exploitation, and demands only basic user privileges to inject the payload. The required user interaction (UI:R) reflects the need for an admin to view the compromised component, but not a separate social engineering step beyond normal platform usage.

Business impact

Successful exploitation can lead to complete compromise of Cloud Foundation Operations administrative functions. An attacker with limited initial access could escalate to full platform control, potentially affecting infrastructure orchestration, multi-cloud resource management, and operational visibility. For organizations using Aria Operations or Telco Cloud Platform alongside Cloud Foundation, the blast radius extends to dependent systems. This is particularly critical for Telco operators where platform compromise threatens service availability and customer-facing infrastructure.

Affected systems

VMware Cloud Foundation, VMware Aria Operations, and VMware Telco Cloud Platform are affected. Organizations running these products in any deployment model (on-premises, cloud-hosted) are in scope if Cloud Foundation Operations is enabled. Verify your specific product versions against VMware's advisory, as fix availability and patch timelines may vary across product lines.

Exploitability

Exploitation requires authentication and the ability to create or modify policies, views, or text-widgets—a privilege typically held by infrastructure administrators or platform operators. The attack does not require special knowledge or advanced exploitation techniques; standard XSS payload encoding bypasses basic input filters. However, weaponization is constrained by the attacker's initial privilege level and the need for an administrator to interact with the malicious component. Public exploits are not yet widely available, and this is not listed on the CISA Known Exploited Vulnerabilities catalog, suggesting active exploitation in the wild remains limited.

Remediation

Apply vendor-supplied patches from VMware as soon as they become available. Interim mitigation includes restricting policy, view, and text-widget creation privileges to trusted administrative personnel and auditing existing configurations for suspicious content. Implement network-level controls to limit administrative UI access to trusted IP ranges. Monitor for unusual administrative activity, particularly actions performed from unexpected user sessions or during off-hours.

Patch guidance

Check the VMware security advisory for CVE-2026-41724 to identify patched versions for Cloud Foundation, Aria Operations, and Telco Cloud Platform. Apply patches in a maintenance window; prioritize environments with external-facing or multi-tenant administrative access. Test patches in a pre-production environment to ensure compatibility with existing policies and custom widgets before production deployment.

Detection guidance

Search logs and audit trails for creation or modification of policies, views, or text-widgets by unexpected accounts, particularly during unusual times. Monitor web traffic to the Cloud Foundation Operations UI for script payloads in request bodies or parameters containing 'script', 'javascript', 'onerror', or event handler syntax. Review policy and widget definitions for HTML tags, event handlers, or encoded JavaScript. Inspect network activity for administrative action sequences that lack corresponding UI logs, which would indicate programmatic exploitation.

Why prioritize this

This vulnerability merits immediate attention due to its high CVSS score (8.0), the administrative impact of successful exploitation, and its foothold in critical infrastructure platforms. The stored XSS nature means a single injection compromises all future viewers, creating persistent risk. While exploitation currently requires authentication and user interaction, the low complexity and privileged damage potential make this a priority for rapid patching in most organizations. Telco operators should elevate this further given the role of these platforms in service delivery.

Risk score, explained

The CVSS 3.1 score of 8.0 (HIGH) reflects network accessibility, low attack complexity, and the requirement for only basic user privileges to inject the payload. The high confidentiality, integrity, and availability impact ratings reflect the ability to perform arbitrary administrative actions once the script executes. The requirement for user interaction (UI:R) and the need for initial authentication (PR:L) prevent a critical rating, but the scope remains unchanged because administrative actions affect only the targeted application, not other systems directly. Organizations with strong administrative access controls and audit logging may treat this as slightly lower risk operationally.

Frequently asked questions

Do I need to patch immediately, or can I wait for a mature update?

While this is not yet listed as exploited in the wild, the high CVSS and stored nature of the XSS mean even a single injection creates persistent risk. Plan to patch within 30 days or implement interim mitigations (policy creation restrictions, IP-based access controls) immediately. Verify patch availability and compatibility before the maintenance window to avoid delays.

Does this affect our Cloud Foundation if we don't use Aria Operations or Telco Cloud Platform?

The vulnerability exists in Cloud Foundation Operations itself, so all deployments are potentially affected regardless of ancillary products. However, verify the specific Cloud Foundation version and build number against the VMware advisory to confirm. Some patched builds may already include fixes from prior updates.

Can this vulnerability be exploited remotely without an account?

No. An attacker must first authenticate to Cloud Foundation Operations and possess the privilege to create or edit policies, views, or text-widgets. This narrows the risk to a subset of administrators or platform operators. Nonetheless, if an attacker compromises a service account or junior admin credential, the privilege escalation to full platform control is straightforward.

How do we detect if we've already been compromised?

Review audit logs for policy, view, or widget creation by unexpected users, especially service accounts or during off-hours. Export and inspect the configurations of all policies and widgets for HTML tags, JavaScript, or event handlers. Look for administrative action sequences (e.g., user account creation, permission changes) that lack a corresponding audit entry from the UI, which suggests script-based exploitation.

This analysis is based on the vulnerability description and CVSS vector provided as of the published and modified dates. Patch availability, affected version ranges, and remediation steps must be verified against the official VMware security advisory before deployment. This page does not constitute professional security advice; consult with your security team and VMware support for guidance specific to your environment. No public exploit code is referenced or endorsed. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities catalog, but active exploitation may emerge at any time. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).