JustAppSec
Back to news

Broadcom publishes VMSA-2026-0001 for VMware Aria Operations (command injection, stored XSS, and privilege escalation)

CVE-2026-22719CVE-2026-22720CVE-2026-22721NewsCloudDevSecOpsVulnerability

What happened

Broadcom published VMSA-2026-0001 on 2026-02-24, stating that multiple vulnerabilities in VMware Aria Operations were privately reported and that patches/workarounds are available for affected Broadcom products.

The advisory covers three issues: CVE-2026-22719 (command injection, max CVSS 8.1), CVE-2026-22720 (stored cross-site scripting, max CVSS 8.0), and CVE-2026-22721 (privilege escalation, max CVSS 6.2).

For CVE-2026-22719, Broadcom says an unauthenticated attacker may be able to execute arbitrary commands leading to remote code execution while support-assisted product migration is in progress; the advisory lists patches and a workaround referenced as KB430349.

Who is impacted

The advisory lists impacted products including VMware Aria Operations, VMware Cloud Foundation, VMware Telco Cloud Platform, and VMware Telco Cloud Infrastructure (where Aria Operations is bundled/used).

Broadcom's response matrix indicates fixes are available via updated releases/KBs, including VMware Aria Operations 8.18.6 and VMware Cloud Foundation Operations 9.0.2.0 (plus KB-based fixes for some bundled versions).

What to do now

  • Identify where VMware Aria Operations is deployed directly or via VCF/Telco bundles.
  • Apply the vendor-provided fixed versions listed in the advisory's Response Matrix for your product/version.
  • If you are performing or planning a support-assisted product migration, review and apply the advisory's workaround guidance for CVE-2026-22719 (KB430349) until fully patched.
  • Limit or review permissions for features referenced in the advisory (e.g., the ability to create custom benchmarks) and access paths from vCenter to Aria Operations, consistent with least privilege.

Additional Information

  • Advisory: VMSA-2026-0001 (Issue date 2026-02-24, updated 2026-02-24).
  • CVEs: CVE-2026-22719, CVE-2026-22720, CVE-2026-22721.
  • Fixed-version references called out in the advisory include VMware Aria Operations 8.18.6 and VMware Cloud Foundation Operations 9.0.2.0.
Source: Broadcom Support (VMware Security Advisory)
Published 24 Feb 2026Updated 24 Feb 2026