CVE-2026-22720

Summary

VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able to inject script to perform administrative actions in VMware Aria Operations. 

To remediate CVE-2026-22720, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' of  VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947https:// .

Affected Software

VendorProductVersion RangeStatus
VMwareVMware Aria Operations8.18.0 < 8.18.6affected
VMwareVMware Aria Operations8.18.6unaffected
VMwareVMware Cloud Foundation Operations4.x < 5.2.3affected
VMwareVMware Cloud Foundation Operations9.x.x < 9.0.2affected
VMwareVMware Cloud Foundation Operations5.x < 5.2.3unaffected
VMwareVMware Telco Cloud Platform4.0 < 5.2.3affected
VMwareVMware Telco Cloud Platform5.2.3unaffected
VMwareVMware Telco Cloud Infrastructure2.0 < 5.2.3affected
VMwareVMware Telco Cloud Infrastructure5.2.3unaffected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References