CVE-2026-41723 Overview
CVE-2026-41723 affects VMware Cloud Foundation Operations and consists of multiple stored cross-site scripting (XSS) vulnerabilities [CWE-79]. An authenticated attacker with privileges to create policies, views, or text-widgets can inject malicious scripts into the application. When other users render the affected interface, the injected scripts execute in their browser session.
The issue carries a CVSS 3.1 base score of 8.0 and is tracked in Broadcom Security Advisory #37513. Because the scripts run in the context of administrative users, an attacker can perform privileged actions in VMware Cloud Foundation Operations through victim sessions.
Critical Impact
Stored XSS in policies, views, and text-widgets enables script execution against administrators, leading to unauthorized administrative actions and full compromise of Cloud Foundation Operations management workflows.
Affected Products
- VMware Cloud Foundation Operations
- Broadcom VMware Cloud Foundation product family components that embed Operations
- Deployments where low-privileged users can author policies, views, or text-widgets
Discovery Timeline
- 2026-06-08 - CVE-2026-41723 published to the National Vulnerability Database (NVD)
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-41723
Vulnerability Analysis
The vulnerability is a stored cross-site scripting flaw in VMware Cloud Foundation Operations. The application accepts user-controlled input within policy definitions, view configurations, and text-widget content without enforcing sufficient output encoding. The malicious payload persists in backend storage and renders as active script when subsequent users load the affected page.
Because the injection occurs server-side and is delivered to every viewer of the resource, exploitation does not depend on luring victims to a crafted URL. Any user who opens the affected dashboard, policy, or widget triggers the payload in their authenticated session.
The attack chain requires the attacker to hold the privileges necessary to create or edit policies, views, or text-widgets. User interaction is required from the victim, which is typically satisfied during normal use of the management console.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. Fields used in policy, view, and text-widget objects are stored and later reflected in the rendered UI without contextual escaping of HTML, attribute, or JavaScript contexts.
Attack Vector
The attack vector is network-based and authenticated. An attacker with low-level authoring privileges submits a crafted payload through the Cloud Foundation Operations UI or API endpoints that back the affected object types. The payload remains persistent and executes against any authenticated viewer, including administrators with rights to modify policies, manage users, and operate the platform.
No verified public exploit code is currently available. See the Broadcom Security Advisory #37513 for vendor technical details.
Detection Methods for CVE-2026-41723
Indicators of Compromise
- Policy, view, or text-widget objects containing HTML tags such as <script>, <img onerror=>, or <svg onload=> in stored content fields
- Unexpected outbound HTTP requests from administrator browser sessions to attacker-controlled hosts shortly after opening a dashboard
- Audit log entries showing administrative API calls originating from a user session immediately after that user viewed an unfamiliar policy or widget
Detection Strategies
- Inspect Cloud Foundation Operations database content for stored payloads containing script tags, event handlers, or javascript: URIs in policy, view, and text-widget records
- Review web server access logs for POST and PUT requests to policy, view, and widget endpoints submitted by low-privileged accounts
- Correlate widget or policy creation events with subsequent privileged actions performed by different user accounts
Monitoring Recommendations
- Alert on creation or modification of policies, views, or text-widgets by accounts that do not normally author such content
- Monitor administrator account activity for anomalous API calls following dashboard or policy views
- Track Content Security Policy violation reports if a restrictive CSP is enforced on the management console
How to Mitigate CVE-2026-41723
Immediate Actions Required
- Apply the fixed VMware Cloud Foundation Operations build referenced in Broadcom Security Advisory #37513
- Audit existing policies, views, and text-widgets for malicious or unexpected HTML and script content and remove offending objects
- Restrict authoring privileges for policies, views, and text-widgets to a minimum set of trusted operators
Patch Information
Broadcom has issued guidance in Security Advisory #37513. Administrators should consult the advisory for the specific fixed versions of VMware Cloud Foundation Operations and apply them through standard VMware Cloud Foundation update workflows.
Workarounds
- Revoke policy, view, and text-widget creation privileges from non-essential users until patching is complete
- Require administrators to access the Cloud Foundation Operations console from a dedicated browser profile that does not retain unrelated sessions
- Enforce a strict Content Security Policy on the management interface where supported to limit inline script execution
# Review accounts with authoring privileges in Cloud Foundation Operations
# and remove unnecessary policy, view, and text-widget permissions
# Replace placeholders with values from your environment
# vcf-ops-cli user list --role policy_author
# vcf-ops-cli role revoke --user <username> --permission create_widget
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
