VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able to inject script to perform administrative action

Description

VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able to inject script to perform administrative actions in VMware Aria Operations. To remediate CVE-2026-22720, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' of VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947https:// .

Affected Products

Vendor	Product	Versions
vmware	aria_operations	< 8.18.6, < 5.2.3, < 9.0.2.0, <= 3.0, <= 5.1

References

CVSS 3.18.0 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

8.18.65.2.39.0.2.0

CWECWE-79

PublishedFeb 25, 2026

Last enriched6d ago

Trending Score0

Source articles0

Independent0

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able to inject script to perform administrative action

Description

Affected Products

References

Community Vote

Related CVEs (5)

Pin to Dashboard

Verification

Vulnerability Timeline