Broadcom has released patches for several vulnerabilities affecting VMware Aria Operations, including high-severity flaws.
The most important of the newly patched vulnerabilities based on CVSS score (8.1) is CVE-2026-22719, a command injection issue that can be exploited by an unauthenticated attacker.
“A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress,” Broadcom explained in its advisory.
Another high-severity issue patched in Aria Operations (with a CVSS score of 8.0) is CVE-2026-22720, a stored cross-site scripting (XSS) flaw that can allow an attacker with permission to create custom benchmarks to inject scripts to perform administrative actions.
The third and last vulnerability patched with the latest round of updates is CVE-2026-22721, a medium-severity privilege escalation issue that can be exploited to obtain administrative access.
Patches for the vulnerabilities are included in version 9.0.2.0 of VMware Cloud Foundation and VMware vSphere Foundation, and version 8.18.6 of Aria Operations.
Broadcom’s advisory does not mention anything about in-the-wild exploitation. However, it’s not uncommon for threat actors to exploit VMware product vulnerabilities.
In addition, Broadcom has been known not to include an in-the-wild exploitation warning in its initial advisory, even for long-exploited zero-days.
Related: High-Severity Vulnerabilities Patched in VMware Aria Operations, NSX, vCenter
Related: 2024 VMware Flaw Now in Attackers’ Crosshairs
Related: VMware Patches High-Severity Vulnerabilities in Aria Operations
