Description
VMware Aria Operations contains a command injection vulnerability. A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress. To remediate CVE-2026-22719, apply the patches listed in the 'Fixed Version' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001 Workarounds for CVE-2026-22719 are documented in the 'Workarounds' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001
CISA Known Exploited Vulnerability
Date added 2026-03-03 | Due date 2026-03-24
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Product status
8.18.0 (custom) before 8.18.6
8.18.6
9.0 (custom) before 9.0.2
9.0.2 (custom)
4.0 (custom) before 5.2.3
5.2.3
2.0 (custom) before 5.2.3
5.2.3 (custom)
2.0 (custom) before 5.2.3
5.2.3
References
www.cisa.gov/...erabilities-catalog?field_cve=CVE-2026-22719
support.broadcom.com/...l/content/SecurityAdvisories/0/36947 (VMSA-2026-0001: VMware Aria Operations updates (includes CVE-2026-22719))
knowledge.broadcom.com/external/article/430349 (KB430349: Workaround instructions for CVE-2026-22719)
techdocs.broadcom.com/...-operations-8186-release-notes.html (VMware Aria Operations 8.18.6 Release Notes (resolves CVE-2026-22719))