VMware Cloud Foundation Ops: Multiple Stored XSS in Policy/View Widgets
CVE-2026-41723 Published on June 8, 2026
VMSA-2026-0004: VMware Cloud Foundation Operations updates address multiple vulnerabilities (CVE-2026-41722, CVE-2026-41723 and CVE-2026-41724)
VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations.
Vulnerability Analysis
CVE-2026-41723 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-41723 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-41723
stack.watch emails you whenever new vulnerabilities are published in VMware Aria Operations or VMware Telco Cloud Platform. Just hit a watch button to start following.
Affected Versions
VMware VCF operations:- Version 9.1.x.x, <= 9.1.0.0 is affected.
- Version 9.0.x.x, <= 9.0.2.0 EP2 is affected.
- Version 5.x, <= 8.18.7 is affected.
- Version 8.18.x, <= 8.18.6 is affected.
- Version 8.18.x, <= 8.18.7 is affected.
- Version 5.x, <= 8.18.7 is affected.