CVE-2026-41722 Overview
CVE-2026-41722 is a stored cross-site scripting (XSS) vulnerability affecting VMware Cloud Foundation Operations. The flaw allows an authenticated attacker with privileges to create policies, views, or text-widgets to inject malicious scripts into the application. When other users render the affected content, the injected scripts execute in their browser session under the application origin.
Broadcom tracks the issue under Security Advisory #37513 and categorizes it as a stored XSS class defect [CWE-79]. Successful exploitation can lead to administrative actions performed in the context of a higher-privileged user, including configuration changes within Cloud Foundation Operations.
Critical Impact
An authenticated attacker can inject persistent JavaScript into policies, views, or text-widgets and execute administrative actions in another user's session inside VMware Cloud Foundation Operations.
Affected Products
- VMware Cloud Foundation Operations
- Broadcom VMware product line (refer to Broadcom Security Advisory #37513 for version mapping)
- Deployments exposing policy, view, or text-widget creation to non-administrative users
Discovery Timeline
- 2026-06-08 - CVE-2026-41722 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-41722
Vulnerability Analysis
The vulnerability resides in components of VMware Cloud Foundation Operations that accept user-supplied content for policies, views, and text-widgets. The application fails to sufficiently sanitize or encode this input before storing it and rendering it back to other authenticated users. As a result, attacker-controlled script payloads persist in the application database and execute when victims load the affected resource.
The attack requires authentication and at least one of the privileges needed to create the affected object types. User interaction is required, since a victim must view the malicious resource. The scope is unchanged, but the impact on confidentiality, integrity, and availability is high because the script runs in an administrative session context.
Root Cause
The underlying defect is improper neutralization of input during web page generation [CWE-79]. Fields that accept rich content for policies, views, and text-widgets are written back into the DOM without context-appropriate output encoding. The application trusts authenticated input in places where untrusted markup or script should be stripped or escaped.
Attack Vector
An authenticated attacker creates or edits a policy, view, or text-widget and embeds JavaScript inside a field that is later rendered to other operators. When an administrator opens the resource, the payload executes and can issue authenticated API requests, modify configuration, exfiltrate session data, or pivot to other Cloud Foundation Operations features available to that role.
No verified public proof-of-concept is available. Detailed payload behavior and the affected fields are described in the Broadcom Security Advisory #37513.
Detection Methods for CVE-2026-41722
Indicators of Compromise
- Policy, view, or text-widget objects containing <script>, javascript:, onerror=, or onload= substrings in stored fields.
- Unexpected administrative API calls originating from browser sessions immediately after a user opened a shared dashboard or widget.
- Audit log entries showing privileged configuration changes performed by accounts that did not initiate console activity.
Detection Strategies
- Query the Cloud Foundation Operations database or export views and widgets, then scan stored content for HTML and JavaScript tokens that should not appear in policy text.
- Inspect HTTP responses serving policy or widget content for script tags or event-handler attributes that bypass the expected rendering format.
- Correlate user logins with subsequent administrative actions to identify configuration changes that lack a corresponding console interaction.
Monitoring Recommendations
- Enable verbose audit logging for create, update, and delete operations on policies, views, and text-widgets.
- Forward Cloud Foundation Operations logs to a centralized SIEM and alert on anomalous payload patterns in object fields.
- Track administrative API activity per session and flag sessions that issue privileged calls within seconds of loading a shared view.
How to Mitigate CVE-2026-41722
Immediate Actions Required
- Apply the fixed VMware Cloud Foundation Operations build identified in Broadcom Security Advisory #37513.
- Audit existing policies, views, and text-widgets for embedded HTML or JavaScript and remove suspicious content.
- Restrict policy, view, and text-widget creation privileges to a minimal set of trusted operators until patching is complete.
Patch Information
Broadcom has published remediation guidance in Broadcom Security Advisory #37513. Administrators should consult the advisory for the exact fixed versions of VMware Cloud Foundation Operations and apply the vendor-supplied update through standard upgrade workflows.
Workarounds
- Limit the roles that can create or edit policies, views, and text-widgets to reduce the attacker population.
- Require administrative review before any user-authored widget or view is shared with privileged operators.
- Enforce a strict Content Security Policy at any reverse proxy fronting Cloud Foundation Operations to constrain inline script execution where supported.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
