EUVD-2026-35032
GHSA-76rr-q8xf-r868
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations.
Articles & Coverage 1
AnalysisAI
Stored cross-site scripting in VMware Cloud Foundation Operations (and the related Aria Operations / Telco Cloud Platform builds) lets an authenticated user who can create policies, views, or text-widgets inject script that executes in the browser of any user who later views the affected object, including administrators. Because the CVSS vector marks Confidentiality, Integrity, and Availability as High with Scope:Unchanged, a successful payload effectively lets a low-privileged operator escalate to administrative actions inside the Operations console. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a valid authenticated account on the VMware Cloud Foundation Operations / Aria Operations / Telco Cloud Platform UI that holds the specific privilege to create or modify policies, views, or text-widgets - this is the PR:L in the CVSS vector and is explicitly called out in the description; (2) a separate higher-privileged user (typically an administrator) must subsequently view the poisoned policy, view, or text-widget in their browser, satisfying the UI:R requirement; and (3) the target deployment must be running an affected build at or below 8.18.7 of VCF Operations 5.x, Aria Operations 8.18.x, or Telco Cloud Platform 5.x. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals point to a credible but conditional risk rather than an internet-facing emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user with policy/view/widget authoring rights (for example, a tenant operator or junior SRE) creates or edits a dashboard text-widget and embeds a JavaScript payload in a field that is rendered without sanitization. When an administrator later opens the dashboard or the affected view, the script executes in the admin's authenticated session and silently issues privileged API calls - creating accounts, altering policies, or exfiltrating monitoring data. … |
| Remediation | Apply the fixed build referenced in the Broadcom advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37513 - the input data does not include an exact post-8.18.7 fix version, so consult that advisory for the precise patched release for each SKU (VCF Operations, Aria Operations, Telco Cloud Platform) before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all VMware Cloud Foundation Operations, Aria Operations, and Telco Cloud Platform deployments; audit which users have permissions to create or modify policies, views, and text-widgets; revoke creation rights for non-administrative accounts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today