Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.0
VMware Aria Operations allows attackers to inject malicious scripts
CVE-2026-22720
Summary
Attackers with access to certain features in VMware Aria Operations may be able to inject malicious scripts to take control of administrative actions. This could lead to unauthorized changes or data exposure. To fix this, apply the latest patches from the VMware security advisory.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| vmware | aria_operations | > 8.0 , <= 8.18.6 | – |
| vmware | cloud_foundation | > 4.0 , <= 5.2.3 | – |
| vmware | cloud_foundation | > 9.0 , <= 9.0.2.0 | – |
| vmware | telco_cloud_infrastructure | > 2.2 , <= 3.0 | – |
| vmware | telco_cloud_platform | > 4.0 , <= 5.1 | – |
Original title
VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able to inject script to perform administrative act...
Original description
VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able to inject script to perform administrative actions in VMware Aria Operations.
To remediate CVE-2026-22720, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' of VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947https:// .
To remediate CVE-2026-22720, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' of VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947https:// .
nvd CVSS3.1
9.0
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026