On February 24, 2026, Broadcom published security advisory VMSA-2026-0001, which addressed three serious flaws in VMware Aria Operations that could allow privilege escalation, cross-site scripting, and remote code execution This article explores vulnerability cve 2026. . Organizations are advised to apply patches right away for these vulnerabilities, which impact important products like the Telco Cloud platforms and VMware Cloud Foundation. The problems are categorized as Important severity and have CVSS scores between 6.2 and 8.1.

Details of the Vulnerability With a CVSSv3 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), the most serious vulnerability, CVE-2026-22719, is a command injection vulnerability in VMware Aria Operations. During support-assisted product migrations, malicious unauthenticated attackers can take advantage of it to carry out arbitrary commands, resulting in complete remote code execution. A workaround exists via KB430349, but upgrading to fixed versions is recommended.

The stored cross-site scripting (XSS) vulnerability in CVE-2026-22720 has a CVSS score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), which enables privileged users to construct unique benchmarks for injecting scripts for administrative actions. Patches are necessary; there is no workaround. The privilege escalation issue CVE-2026-22721 (CVSS 6.2: AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L) allows vCenter-privileged actors to obtain admin access in Aria Operations and necessitates patching without workarounds.

These flaws affect VMware Cloud Foundation and VMware Aria Operations 8.x. 9.x/5.x/VMware Telco Cloud Platform 4.x VMware Telco Cloud Infrastructure and 5.x/4.x 3.x/2.x operating on any platform. Companies need to apply specific KBs like 92148 and 428241 or upgrade to fixed versions like Cloud Foundation Operations 9.0.2.0 and Aria Operations 8.18.6.

Severity Fixed Version CVE-2026-22719 CVE ID CVSS Score Description 8.1 RCE during migrations due to command injection Crucial CVE-2026-22720 8.0 Stored XSS via custom benchmarks 8.18.6 (Aria Ops), 9.0.2.0 (VCF) Crucial CVE-2026-22721 6.2 Privilege escalation from vCenter access 8.18.6 (Aria Ops), 9.0.2.0 (VCF) Moderate Broadcom credits: 8.18.6 (Aria Ops), 9.0.2.0 (VCF) CVE-2026-22720 was reported by Tobias Anders from Deutsche Telekom Security, while CVE-2026-22721 was reported privately by Sven Nobis and Lorin Lehawany from ERNW.

Versions Affected by Product Components VMware Fixed Version Workaround VMware vSphere Foundation / Operations Cloud Foundation [techdocs.broadcom.com] 9.x 9.0.2.0 KB430349 (CVE-2026-22719) Aria Operations for VMware N/A [techdocs.broadcom.com] 8.x 8.18.6 VMware Cloud Foundation VMware Aria Operations KB430349 (CVE-2026-22719) KB92148 5.x, 4.x KB430349 (CVE-2026-22719) VMware Aria Operations VMware Telco Cloud Platform KB428241 5.x, 4.x KB430349 (CVE-2026-22719) VMware Aria Operations and VMware Telco Cloud Infrastructure KB428241 3.x, 2.x KB430349 (CVE-2026-22719) During migrations, administrators should keep an eye on environments, download patches from Broadcom support portals, and read the entire advisory. By giving these updates top priority, possible security lapses in enterprise cloud operations are avoided. X and LinkedIn to Receive More Real-Time Updates.

Make ZeroOwl your Google Preferred Source.