CVE-2026-22720 in Aria Operations
Summary
by MITRE • 02/25/2026
VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with privileges to create custom benchmarks may be able to inject script to perform administrative actions in VMware Aria Operations.
To remediate CVE-2026-22720, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' of VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947https:// .
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/06/2026
This vulnerability resides within VMware Aria Operations, a comprehensive monitoring and analytics platform that provides operational intelligence for enterprise environments. The stored cross-site scripting flaw represents a critical security weakness that allows attackers to inject malicious scripts into the application's persistent storage, which then executes when other users access affected content. The vulnerability specifically targets the custom benchmark creation functionality, which serves as an attack vector for privilege escalation and unauthorized administrative actions.
The technical implementation of this vulnerability stems from inadequate input validation and output encoding within the benchmark creation module of VMware Aria Operations. When users with sufficient privileges create custom benchmarks, the application fails to properly sanitize user-supplied data before storing it in the database. This allows malicious actors to embed malicious JavaScript code within benchmark parameters, which then gets executed in the context of other authenticated users who view these benchmarks. The flaw operates as a classic stored XSS attack where the malicious payload is permanently stored and subsequently delivered to victims during normal application usage.
The operational impact of this vulnerability extends beyond simple script execution, as it enables malicious actors to perform administrative actions within the VMware Aria Operations environment. This includes but is not limited to modifying existing benchmarks, creating new malicious benchmarks, accessing sensitive operational data, and potentially escalating privileges within the platform. The vulnerability's severity is amplified by the fact that it requires only the ability to create custom benchmarks, which may be accessible to various user roles within enterprise environments, making it particularly dangerous in multi-tenant or shared infrastructure scenarios where least privilege principles may not be strictly enforced.
Organizations affected by this vulnerability should immediately implement the patches referenced in VMSA-2026-0001, which provides the official remediation guidance from Broadcom. The patch addresses the root cause by implementing proper input validation and output encoding mechanisms within the benchmark creation functionality. Security teams should also consider implementing additional monitoring and access controls around benchmark creation privileges, as outlined in the CWE-79 framework for cross-site scripting prevention. The ATT&CK framework categorizes this vulnerability under T1548.003 for privilege escalation and T1059.007 for command and scripting interpreter, highlighting the multi-faceted attack surface this vulnerability presents. Organizations should also conduct thorough security assessments of their VMware Aria Operations deployments to identify any potential exploitation attempts and ensure proper network segmentation to limit the blast radius of any successful attacks.