CVE-2026-41722
Description
VMware Cloud Foundation Operations suffers from stored XSS, allowing privileged users to inject scripts for administrative actions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
VMware Cloud Foundation Operations suffers from stored XSS, allowing privileged users to inject scripts for administrative actions.
Vulnerability
VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities. These vulnerabilities are present in versions prior to the application of patches. A malicious actor with privileges to create policies, views, or text-widgets can exploit this flaw [1].
Exploitation
An attacker requires privileges to create policies, views, or text-widgets within VMware Cloud Foundation Operations. Once authenticated with these privileges, the attacker can inject malicious scripts into these components, which are then executed when other users interact with them [1].
Impact
Successful exploitation allows an attacker to inject scripts that can perform administrative actions within VMware Cloud Foundation Operations. This could lead to unauthorized modifications, data manipulation, or further compromise of the system, depending on the injected script's functionality [1].
Mitigation
Patches and updates are available to remediate these vulnerabilities. Users should apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' in the advisory. No workarounds are available [1].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
1- Multiple VMware Stored XSS Vulnerabilities Allow Attackers to Inject Malicious ScriptsCyber Security News · Jun 8, 2026