CVE-2026-22720 | THREATINT

Description

VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able to inject script to perform administrative actions in VMware Aria Operations. To remediate CVE-2026-22720, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' of VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947https:// .

PUBLISHED Reserved 2026-01-09 | Published 2026-02-25 | Updated 2026-02-26 | Assigner vmware

HIGH: 8.0CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status

affected

8.18.0 (custom) before 8.18.6

affected

8.18.6

unaffected

Default status

affected

4.0 (custom) before 5.2.3

affected

9.0 (custom) before 9.0.2

affected

5.2.3

unaffected

9.0.2

affected

Default status

affected

4.0 (custom) before 5.2.3

affected

5.2.3 (custom)

unaffected

Default status

affected

2.0 (custom) before 5.2.3

affected

5.2.3

unaffected

References

support.broadcom.com/...l/content/SecurityAdvisories/0/36947 (VMSA-2026-0001: VMware Aria Operations updates (includes CVE-2026-22720)) vendor-advisory

techdocs.broadcom.com/...-operations-8186-release-notes.html (VMware Aria Operations 8.18.6 Release Notes (resolves CVE-2026-22720)) release-notes

cve.org (CVE-2026-22720)

nvd.nist.gov (CVE-2026-22720)

Download JSON