BROADCOM has patched several vulnerabilities in VMware Aria Operations, including high-severity flaws, with the most critical being CVE-2026-22719, a command-injection issue that can be exploited by an unauthenticated attacker. According to Broadcom, this flaw could allow arbitrary commands and potentially remote code execution in VMware Aria Operations during support-assisted product migration.
Another high-severity vulnerability patched is CVE-2026-22720, a stored cross-site scripting (XSS) flaw that can enable an attacker with permission to create custom benchmarks to inject scripts to perform administrative actions, while CVE-2026-22721 is a medium-severity privilege-escalation issue. Patches are included in version 9.0.2[.]0 of VMware Cloud Foundation and VMware vSphere Foundation, and version 8.18.6 of Aria Operations; the advisory notes there is no explicit mention of in-the-wild exploitation.
Written by Eduard Kovacs, the article also notes that threat actors exploiting VMware product vulnerabilities are not unknown in general. 24 February 2026