VMware has disclosed multiple high-severity stored cross-site scripting (XSS) vulnerabilities affecting VMware Cloud Foundation (VCF) Operations, potentially allowing attackers to inject malicious scripts and compromise administrative environments.
The issues, tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, were published under advisory VMSA-2026-0004 on June 8, 2026, and carry a combined CVSS v3 base score of 8.0, indicating a high severity risk to enterprise deployments.
VMware Stored XSS Flaw
According to the advisory, the vulnerabilities reside in VCF Operations components that handle user-supplied input in management interfaces.
Improper input validation and output encoding allow threat actors to store crafted malicious JavaScript payloads within the platform. When subsequently accessed by privileged users, including administrators, the injected scripts execute within the context of the user’s browser session.
This creates a persistent…
