Broadcom has recently reported three critical stored cross-site scripting (XSS) vulnerabilities impacting several VMware products, including VMware Cloud Foundation Operations. These security flaws enable authenticated attackers to insert harmful scripts capable of executing administrative tasks within the affected environment.
Details of the Identified Vulnerabilities
The vulnerabilities, designated as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, were addressed in a security advisory, VMSA-2026-0004, issued on June 8, 2026. Each of these vulnerabilities has received a CVSSv3 base score of 8.0, categorizing them as “Important” in terms of severity. As there are no available workarounds, applying patches is the only recommended solution.
Understanding Stored XSS Risks
The advisory reveals that the issues stem from improperly sanitized user inputs within VMware Cloud Foundation Operations, leading to multiple stored XSS vulnerabilities. Unlike reflected XSS, stored XSS poses a higher risk as the malicious code remains on the server and can execute whenever a user accesses the compromised component, potentially affecting numerous users.
Attackers with privileges to create policies, views, or text-widgets can embed malicious scripts into these elements. When these scripts are displayed in the management interface, they execute as if by other users, including administrators with higher privileges, allowing the attacker to perform unauthorized actions.
Mitigation and Security Measures
Though successful exploitation requires authenticated access with specific rights, the potential for privilege escalation within a virtualization management platform underscores the critical nature of these vulnerabilities. These issues were reported to Broadcom by Alexis Bernazzani of Visa Inc., with the advisory covering a wide range of affected Broadcom products.
Broadcom has released necessary patches and updates that should be applied promptly as outlined in the Response Matrix. The advisory includes a comprehensive list of vulnerable and fixed product versions.
Administrators are urged to prioritize installing these patches immediately, given the lack of alternative mitigations. Additionally, reviewing and tightening role assignments and permissions for creating policies, views, and text-widgets can help reduce the risk of exploitation until the patches are fully deployed.
By staying informed and taking swift action, organizations can better safeguard their infrastructure against these significant threats.
