Broadcom Patches Three Critical Stored XSS Vulnerabilities in VMware Cloud Foundation
Broadcom has released security advisory VMSA-2026-0004 addressing three critical stored XSS vulnerabilities in VMware Cloud Foundation Operations and related products, allowing authenticated attackers to inject malicious scripts.
Broadcom has announced the remediation of three critical stored cross-site scripting (XSS) vulnerabilities affecting VMware Cloud Foundation Operations and a suite of related products. The flaws, identified as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, were detailed in security advisory VMSA-2026-0004, published on June 8, 2026. Each vulnerability carries a CVSSv3 base score of 8.0, classifying them as 'Important' severity.
These stored XSS vulnerabilities stem from improper sanitization of user-controlled input within the affected VMware products. Unlike reflected XSS, stored XSS attacks are particularly insidious because the malicious script is permanently embedded within the application's backend. This means that any user who accesses the compromised component will have the script executed in their browser, facilitating widespread and repeatable attacks against multiple users, including those with higher privileges.
The advisory outlines a specific attack vector: an attacker with existing authenticated access and the ability to create policies, views, or text-widgets can embed crafted malicious scripts into these objects. When these objects are later rendered within the management interface, the embedded scripts execute within the context of other users. This can allow an attacker to perform administrative actions on behalf of unsuspecting users, potentially leading to significant compromise of the virtualized infrastructure.
While exploitation requires an attacker to already possess authenticated privileges and the specific rights to create content objects, the potential for privilege escalation within a platform that manages critical IT infrastructure makes these vulnerabilities a serious concern. The vulnerabilities were privately reported to Broadcom by Alexis Bernazzani of Visa Inc., highlighting the active threat landscape.
The scope of affected products is broad, encompassing VMware Aria Operations, VMware Cloud Foundation, VMware Cloud Foundation Operations, VMware vSphere Foundation, and VMware Telco Cloud Platform. The advisory provides a detailed response matrix, indicating the specific versions affected and the corresponding fixed versions for each product component.
Broadcom emphasizes that no workarounds are available for these vulnerabilities, making the prompt application of patches and updates the sole effective mitigation strategy. Organizations are strongly advised to consult the provided response matrix and prioritize the deployment of the listed fixed versions to secure their environments.
In addition to patching, administrators are recommended to review and tighten role assignments and permissions, particularly for users who can create policies, views, and text-widgets. Limiting the number of accounts with these capabilities can reduce the attack surface and mitigate the risk of exploitation while patches are being rolled out.
The disclosure of these vulnerabilities underscores the ongoing need for vigilance in securing complex virtualization platforms. Stored XSS flaws, especially in administrative interfaces, can provide a critical foothold for attackers seeking to gain deeper access and control over sensitive IT environments.