CVE-2026-22720

CRITICAL EPSS 32.9%
Published Feb 25, 20264mo ago · Modified Jun 17, 20261w ago
9.0 CVSS 3.1
Critical
Find Similar
Published Feb 25, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able to inject script to perform administrative actions in VMware Aria Operations.  To remediate CVE-2026-22720, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' of  VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947https:// .

CVSS Details

Base Score
9.0
Exploitability
2.3
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
32.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 5

VendorProductVersionRange
vmwarearia_operations*≥8.0  –  <8.18.6
vmwarecloud_foundation*≥4.0  –  <5.2.3
vmwarecloud_foundation*≥9.0  –  <9.0.2.0
vmwaretelco_cloud_infrastructure*≥2.2  –  ≤3.0
vmwaretelco_cloud_platform*≥4.0  –  ≤5.1

References 2

  • support.broadcom.com https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947
    PatchVendor Advisory
  • techdocs.broadcom.com https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations/8-18/vmware-aria-operations-8186-release-notes.html
    Release Notes

Remediation

  • support.broadcom.com https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947
    PatchVendor Advisory