EXECUTIVE SUMMARY
Three vulnerabilities (CVE-2026-22719, CVE-2026-22720, CVE-2026-22721) in VMware Aria Operations may allow command injection (leading to remote code execution), stored XSS, and privilege escalation. The most critical flaw (CVSS 8.1) affects migration workflows and could lead to full system compromise, particularly in VMware Cloud Foundation and Telco Cloud environments. Organizations using affected 8.x versions should urgently upgrade to patched releases (8.18.6 / 9.0.2.0).
- CVE: CVE-2026-22719, CVE-2026-22720, CVE-2026-22721
- CVSS: 8.1 (Command Injection), 8.0 (Stored XSS), 6.2 (Privilege Escalation)
- Active Region: Global
- Affected Sector: Multiple sectors
- Affected Product: VMware Aria Operations (including Cloud Foundation and Telco Cloud deployments)
- Severity: High
- Published Date: February 24, 2026
TECHNICAL DETAILS
- Target: VMware Aria Operations management plane, specifically the migration workflows and custom benchmark functionality that are accessible within enterprise and telco cloud deployments.
- Root Cause: The vulnerabilities stem from improper input validation enabling command injection during migration workflows, insufficient output encoding allowing stored cross-site scripting through custom benchmarks, and improper privilege boundary enforcement between vCenter-integrated roles and Aria Operations administrative controls, leading to privilege escalation.
- Prerequisite for Exploitation: Exploitation requires network access……
