CVE-2026-41724
Description
VMware Cloud Foundation Operations has stored XSS flaws allowing privilege escalation via script injection in policies, views, or widgets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
VMware Cloud Foundation Operations has stored XSS flaws allowing privilege escalation via script injection in policies, views, or widgets.
Vulnerability
VMware Cloud Foundation Operations contains multiple stored cross-site scripting (XSS) vulnerabilities. These issues affect versions prior to the patches detailed in the response matrix [1].
Exploitation
A malicious actor with privileges to create policies, views, or text-widgets can inject scripts into these components. This script injection can then be used to perform administrative actions within VMware Cloud Foundation Operations [1].
Impact
Successful exploitation allows an attacker to perform administrative actions, potentially leading to unauthorized changes or compromise of the system's administrative functions. The scope of the compromise is limited to the administrative capabilities accessible through the affected components [1].
Mitigation
Patches and updates are available to remediate these vulnerabilities. Customers should apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' provided in the advisory [1]. No workarounds are available. The advisory was initially published on 2026-06-08 [1].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
1- Multiple VMware Stored XSS Vulnerabilities Allow Attackers to Inject Malicious ScriptsCyber Security News · Jun 8, 2026