BROADCOM has released security updates for multiple flaws in VMware Aria Operations that could allow remote access, with the most severe being a command injection flaw tracked as CVE-2026-22719 (CVSS 8.1) that unauthenticated attackers could exploit to run arbitrary commands remotely.
The article notes a high-severity stored cross-site scripting flaw, CVE-2026-22720 (CVSS 8.0), which could enable script injection by a user with privileges to create custom benchmarks to perform administrative actions in Aria Operations, and a medium-severity privilege escalation issue, CVE-2026-22721 (CVSS 6.2), that could grant administrative access.
According to Broadcom, updates address VMware Aria Operations alongside VMware Cloud Foundation (v9.0.2.0) and VMware vSphere Foundation (v9.0.2.0), with a push for customers to apply them promptly to reduce exposure. The article also states that it is unclear whether any of the flaws have been exploited in the wild. VMware Aria Operations is described as an IT operations management platform that helps monitor and optimise virtual, cloud and hybrid environments. February 24, 2026.