CVE-2026-22720
Published: 25 February 2026
Summary
CVE-2026-22720 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Vmware Cloud Foundation. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely flaw remediation through patching, directly addressing the stored XSS vulnerability as specified in VMSA-2026-0001.
SI-10 enforces input validation on custom benchmarks to block malicious script injection by privileged users.
SI-15 applies output filtering when rendering custom benchmarks, preventing execution of injected scripts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables injection and execution of malicious JavaScript (T1059.007) in the browser context of a privileged user viewing custom benchmarks, facilitating administrative actions via exploitation for privilege escalation (T1068).
NVD Description
VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able to inject script to perform administrative actions in VMware Aria Operations. To remediate CVE-2026-22720, apply the patches listed in…
more
the 'Fixed Version' column of the 'Response Matrix' of VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947https:// .
Deeper analysisAI
CVE-2026-22720 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in VMware Aria Operations. Published on 2026-02-25, it carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). The flaw allows malicious script injection through custom benchmarks created within the VMware Aria Operations platform.
A malicious actor with privileges to create custom benchmarks can exploit this vulnerability over the network with low complexity. Exploitation requires user interaction but enables the attacker to execute scripts that perform administrative actions in VMware Aria Operations, resulting in high impacts to confidentiality, integrity, and availability.
VMSA-2026-0001 advises applying patches listed in the 'Fixed Version' column of the 'Response Matrix' to remediate CVE-2026-22720. Additional details are available in the security advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 and VMware Aria Operations 8.18.6 release notes at https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations/8-18/vmware-aria-operations-8186-release-notes.html.
Details
- CWE(s)