HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41722Published Modified CNA vmware

CVE-2026-41722: VMSA-2026-0004: VMware Cloud Foundation Operations updates address multiple vulnerabilities (CVE-2026-41722, CVE-2026-41723 and CVE-2026-41724)

VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations.

Metrics

CVSS v3.1
8.0
Severity
HIGH
Fixed in
Affected Products
3

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) vulnerabilities in VMware Cloud Foundation Operations allow an authenticated attacker with policy, view, or text-widget creation privileges to inject malicious scripts into the application. The attack is reachable over the network and requires a victim to trigger the stored payload, typically by viewing an affected dashboard or page. Successful exploitation allows the attacker to perform administrative actions within the application on behalf of the victim. No fix versions have been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild as soon as upstream releases one.

HarborGuard Coverage

Detection

Detection for CVE-2026-41722 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including VMware and NVD sources) within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built images derived from affected VMware base layers.

Available
Triage

HarborGuard scores this CVE at 8.0 HIGH using the CVSS v3.1 vector and is capable of weighting that score against each customer organization's compliance policy to determine urgency and route findings to the appropriate team inbox.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the VMware advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, the advisory remains open and flagged in each affected environment's finding queue.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable application must be reachable over the network; an attacker submits the malicious script payload via the network to a policy, view, or text-widget endpoint.

  • AuthenticationRequired

    A low-privilege account with rights to create policies, views, or text widgets is sufficient; unauthenticated access alone does not expose the injection surface.

  • Victim interactionRequired

    A victim (typically a higher-privileged user or administrator) must load the page or dashboard containing the injected script for it to execute.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond the attacker having the necessary account.

Blast Radius

  • An attacker whose payload executes in a victim's browser session can issue administrative API calls within VMware Cloud Foundation Operations at the victim's privilege level.
  • Session tokens or authentication cookies accessible to the injected script can be read and exfiltrated, enabling session hijacking.
  • Application configuration, policies, and operational data can be modified or deleted through actions performed in the victim's authenticated context.
  • Service disruption is possible if the injected script triggers operations that destabilize the affected environment or lock out legitimate administrators.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked with no fix version currently published. HarborGuard re-evaluates the VMware advisory on every ingest cycle and will automatically queue a patched-image rebuild at the fix version the moment VMware publishes one. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads. While no patch is available, compensating controls worth considering include network-policy isolation to restrict access to the Cloud Foundation Operations interface to trusted internal segments, egress filtering to limit what a compromised session can reach, and tightening role assignments so that the policy and widget creation privileges required for exploitation are held by the smallest possible set of accounts. Teams running affected versions (VCF Operations up to 9.1.0.0, VMware Aria Operations up to 8.18.7, or VMware Telco Cloud Platform up to 8.18.7) should monitor the HarborGuard advisory feed for patch availability.

See how HarborGuard automates this
Affected packages
  • VMware / VCF operations
    ≤ 9.1.0.0 · ≤ 9.0.2.0 EP2 · ≤ 8.18.7
  • VMware / VMware Aria Operations
    ≤ 8.18.6 · ≤ 8.18.7
  • VMware / VMware Telco Cloud Platform
    ≤ 8.18.7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
References