Broadcom has disclosed three stored cross-site scripting (XSS) vulnerabilities affecting VMware Cloud Foundation Operations and several related products, warning that authenticated attackers could inject malicious scripts to perform administrative actions within the environment.
Tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, the flaws were addressed in security advisory VMSA-2026-0004, published on June 8, 2026.
Each vulnerability carries a CVSSv3 base score of 8.0, placing the issues in the “Important” severity range. No workarounds are available, making patching the only viable remediation path.
VMware Stored XSS Vulnerabilities
According to the advisory, VMware Cloud Foundation Operations contains multiple stored cross-site scripting weaknesses introduced through improperly sanitized user-controlled input.
Stored XSS is particularly dangerous compared to reflected variants because the malicious payload is persisted server-side and executed…