Skip to main content

Cloud Foundation

121 CVEs product

Monthly

CVE-2026-22721 MEDIUM PATCH This Month

Privilege escalation in VMware Aria Operations allows authenticated users with vCenter access to escalate their privileges to administrative level within Aria Operations. The vulnerability affects multiple Broadcom products including Telco Cloud Platform, Aria Operations, and Cloud Foundation, requiring administrative intervention but no user interaction to exploit. Patches are available through VMSA-2026-0001.

VMware Broadcom Privilege Escalation Telco Cloud Platform Aria Operations +2
NVD
CVSS 3.1
6.2
EPSS
0.1%
CVE-2026-22720 HIGH PATCH This Week

Stored XSS in VMware Aria Operations allows authenticated users with benchmark creation privileges to inject malicious scripts and execute arbitrary administrative actions within the platform. This vulnerability affects VMware, Broadcom, and Telco Cloud Infrastructure products with a CVSS score of 8.0, requiring user interaction to trigger the attack. Patches are available through VMSA-2026-0001.

VMware Broadcom XSS Telco Cloud Infrastructure Telco Cloud Platform +2
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-22719 HIGH KEV PATCH THREAT Act Now

VMware Aria Operations contains a command injection vulnerability (CVE-2026-22719, CVSS 8.1) that allows unauthenticated remote attackers to execute arbitrary commands during support-assisted product migration. KEV-listed with patches available, this vulnerability targets the infrastructure monitoring platform that has visibility into the entire virtualized environment.

VMware Broadcom RCE Command Injection Aria Operations +3
NVD
CVSS 3.1
8.1
EPSS
7.4%
CVE-2025-41244 HIGH POC KEV PATCH THREAT Act Now

VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Privilege Escalation VMware Aria Operations Cloud Foundation Cloud Foundation Operations +7
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2025-22245 MEDIUM This Month

VMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the router port due to improper input validation.

XSS VMware Vmware Nsx Cloud Foundation Telco Cloud Platform +1
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-22244 MEDIUM This Month

VMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the gateway firewall due to improper input validation.

XSS VMware Telco Cloud Infrastructure Telco Cloud Platform Vmware Nsx +1
NVD
CVSS 3.1
6.9
EPSS
0.0%
CVE-2025-22243 HIGH This Week

VMware NSX Manager UI is vulnerable to stored cross-site scripting (XSS) attacks via improper input validation in user-controllable fields (CWE-79). An authenticated attacker with high privileges can inject malicious scripts that persist in the application and execute in the browsers of other users, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. With a CVSS score of 7.5 and network-accessible attack vector, this vulnerability poses a moderate-to-high risk to NSX Manager deployments, particularly in multi-user environments.

XSS VMware Telco Cloud Platform Cloud Foundation Vmware Nsx +1
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-41231 HIGH This Month

VMware Cloud Foundation contains a missing authorisation vulnerability. Rated high severity (CVSS 7.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass VMware Cloud Foundation
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-22249 HIGH PATCH This Week

VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS VMware Aria Automation Cloud Foundation Telco Cloud Platform
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2025-22226 HIGH KEV THREAT CERT-EU Act Now

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability via HGFS out-of-bounds read, allowing VM administrators to leak memory from the VMX process on the host.

Information Disclosure Buffer Overflow VMware ESXi Cloud Foundation +4
NVD
CVSS 3.1
7.1
EPSS
6.8%
CVE-2025-22225 HIGH KEV THREAT CERT-EU Act Now

VMware ESXi contains an arbitrary write vulnerability that allows privileged VMX process users to trigger kernel writes, enabling escape from the VMX sandbox to the ESXi kernel.

Memory Corruption Buffer Overflow VMware ESXi Cloud Foundation +2
NVD
CVSS 3.1
8.2
EPSS
7.9%
CVE-2025-22224 CRITICAL KEV THREAT CERT-EU Emergency

VMware ESXi and Workstation contain a TOCTOU race condition leading to out-of-bounds write, allowing local administrators on VMs to escape the sandbox and execute code as the VMX process on the host.

Buffer Overflow VMware ESXi Cloud Foundation Telco Cloud Infrastructure +2
NVD
CVSS 3.1
9.3
EPSS
52.7%
CVE-2025-22222 HIGH This Month

VMware Aria Operations contains an information disclosure vulnerability. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

VMware Information Disclosure Aria Operations Cloud Foundation
NVD
CVSS 3.1
7.7
EPSS
0.7%
CVE-2025-22221 MEDIUM This Month

VMware Aria Operation for Logs contains a stored cross-site scripting vulnerability. Rated medium severity (CVSS 5.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

VMware XSS Aria Operations For Logs Cloud Foundation
NVD
CVSS 3.1
5.2
EPSS
0.2%
CVE-2025-22220 MEDIUM Monitor

VMware Aria Operations for Logs contains a privilege escalation vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation VMware Aria Operations For Logs Cloud Foundation
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-22219 MEDIUM This Month

VMware Aria Operations for Logs contains a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

VMware XSS Aria Operations For Logs Cloud Foundation
NVD
CVSS 3.1
6.8
EPSS
0.2%
CVE-2025-22218 HIGH This Month

VMware Aria Operations for Logs contains an information disclosure vulnerability. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

VMware Information Disclosure Aria Operations For Logs Cloud Foundation
NVD
CVSS 3.1
8.5
EPSS
0.5%
CVE-2024-38834 MEDIUM This Month

VMware Aria Operations contains a stored cross-site scripting vulnerability. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS VMware Aria Operations Cloud Foundation
NVD
CVSS 3.1
4.8
EPSS
0.3%
CVE-2024-38833 MEDIUM This Month

VMware Aria Operations contains a stored cross-site scripting vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS VMware Aria Operations Cloud Foundation
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-38832 MEDIUM This Month

VMware Aria Operations contains a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS VMware Aria Operations Cloud Foundation
NVD
CVSS 3.1
6.4
EPSS
0.4%
CVE-2024-38831 HIGH This Week

VMware Aria Operations contains a local privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Command Injection VMware Aria Operations Cloud Foundation
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2024-38830 HIGH This Week

VMware Aria Operations contains a local privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation VMware Aria Operations Cloud Foundation
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-38813 CRITICAL KEV THREAT Act Now

The vCenter Server contains a privilege escalation vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
9.8
EPSS
16.7%
CVE-2024-38812 CRITICAL KEV THREAT Act Now

The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow VMware RCE Cloud Foundation +1
NVD
CVSS 3.1
9.8
EPSS
54.1%
CVE-2024-22280 HIGH This Week

VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi VMware Aria Automation Cloud Foundation
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2024-37087 MEDIUM This Month

The vCenter Server contains a denial-of-service vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2024-37086 MEDIUM This Month

VMware ESXi contains an out-of-bounds read vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure VMware Cloud Foundation ESXi
NVD
CVSS 3.1
6.8
EPSS
0.2%
CVE-2024-37081 HIGH POC Act Now

The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation VMware Vcenter Server Cloud Foundation
NVD
CVSS 3.1
7.8
EPSS
5.0%
CVE-2024-37079 CRITICAL KEV PATCH THREAT Act Now

vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow VMware RCE Memory Corruption Cloud Foundation +1
NVD
CVSS 3.1
9.8
EPSS
22.4%
CVE-2024-22275 MEDIUM This Month

The vCenter Server contains a partial file read vulnerability. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
4.9
EPSS
1.0%
CVE-2024-22274 HIGH This Week

The vCenter Server contains an authenticated remote code execution vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
7.2
EPSS
2.5%
CVE-2024-22273 HIGH This Week

The storage controllers on VMware ESXi, Workstation, and Fusion have out-of-bounds read/write vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure VMware Denial Of Service Cloud Foundation +3
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-22255 HIGH This Week

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability in the UHCI USB controller. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure VMware Denial Of Service Cloud Foundation Workstation +2
NVD
CVSS 3.1
7.1
EPSS
2.3%
CVE-2024-22254 HIGH This Week

VMware ESXi contains an out-of-bounds write vulnerability. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow VMware Memory Corruption Cloud Foundation ESXi
NVD
CVSS 3.1
8.2
EPSS
0.5%
CVE-2024-22253 MEDIUM This Month

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the UHCI USB controller. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Use After Free VMware RCE Memory Corruption Cloud Foundation +3
NVD
CVSS 3.1
6.7
EPSS
0.6%
CVE-2024-22235 MEDIUM This Month

VMware Aria Operations contains a local privilege escalation vulnerability. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation VMware Aria Operations Cloud Foundation
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2023-34043 MEDIUM PATCH This Month

VMware Aria Operations contains a local privilege escalation vulnerability. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation VMware Aria Operations Cloud Foundation
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2023-20884 MEDIUM PATCH This Month

VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Information Disclosure VMware Open Redirect Identity Manager Workspace One Access +2
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2023-20880 MEDIUM This Month

VMware Aria Operations contains a privilege escalation vulnerability. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation VMware Authentication Bypass Aria Operations Cloud Foundation
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2023-20879 MEDIUM This Month

VMware Aria Operations contains a Local privilege escalation vulnerability. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation VMware Cloud Foundation Vrealize Operations
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2023-20878 HIGH This Week

VMware Aria Operations contains a deserialization vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

VMware Deserialization Cloud Foundation Vrealize Operations
NVD
CVSS 3.1
7.2
EPSS
1.0%
CVE-2023-20877 HIGH This Week

VMware Aria Operations contains a privilege escalation vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation RCE VMware Authentication Bypass Cloud Foundation +1
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2023-20865 HIGH This Week

VMware Aria Operations for Logs contains a command injection vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

VMware Command Injection Aria Operations For Logs Cloud Foundation
NVD
CVSS 3.1
7.2
EPSS
1.7%
CVE-2023-20864 CRITICAL POC THREAT Act Now

VMware Aria Operations for Logs contains a deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE VMware Deserialization Aria Operations For Logs Cloud Foundation
NVD
CVSS 3.1
9.8
EPSS
70.4%
CVE-2022-31701 MEDIUM This Month

VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass VMware Access Cloud Foundation Identity Manager Connector
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2022-31700 HIGH This Week

VMware Workspace ONE Access and Identity Manager contain an authenticated remote code execution vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE VMware Access Cloud Foundation Identity Manager
NVD
CVSS 3.1
7.2
EPSS
1.1%
CVE-2022-31699 LOW Monitor

VMware ESXi contains a heap-overflow vulnerability. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Information Disclosure VMware Buffer Overflow Cloud Foundation +1
NVD
CVSS 3.1
3.3
EPSS
0.2%
CVE-2022-31698 MEDIUM This Month

The vCenter Server contains a denial-of-service vulnerability in the content library service. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

VMware Denial Of Service Cloud Foundation Vcenter Server
NVD
CVSS 3.1
5.3
EPSS
47.8%
CVE-2022-31697 MEDIUM This Month

The vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plaintext. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure VMware Vcenter Server Cloud Foundation
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2022-31696 HIGH PATCH This Week

VMware ESXi contains a memory corruption vulnerability that exists in the way it handles a network socket. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Memory Corruption VMware Buffer Overflow Cloud Foundation ESXi
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2022-31678 CRITICAL POC Act Now

VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE VMware Cloud Foundation Nsx Data Center
NVD
CVSS 3.1
9.1
EPSS
8.1%
CVE-2022-31681 MEDIUM PATCH This Month

VMware ESXi contains a null-pointer deference vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

VMware Null Pointer Dereference Denial Of Service Cloud Foundation ESXi
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2022-22982 HIGH This Week

The vCenter Server contains a server-side request forgery (SSRF) vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

VMware SSRF Cloud Foundation Vcenter Server
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-22973 HIGH This Week

VMware Workspace ONE Access and Identity Manager contain a privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

VMware Privilege Escalation Identity Manager Workspace One Access Cloud Foundation +1
NVD
CVSS 3.1
7.8
EPSS
2.3%
CVE-2022-22972 CRITICAL POC THREAT Act Now

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

VMware Authentication Bypass Identity Manager Vrealize Automation Workspace One Access +2
NVD
CVSS 3.1
9.8
EPSS
52.8%
CVE-2022-22961 MEDIUM PATCH This Month

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an information disclosure vulnerability due to returning excess information. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

VMware Information Disclosure Cloud Foundation Identity Manager Vrealize Automation +2
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2022-22960 HIGH POC KEV PATCH THREAT Act Now

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

VMware Privilege Escalation Cloud Foundation Identity Manager Vrealize Automation +2
NVD
CVSS 3.1
7.8
EPSS
37.2%
CVE-2022-22959 MEDIUM PATCH This Month

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a cross site request forgery vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

VMware CSRF Cloud Foundation Identity Manager Vrealize Automation +2
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-22958 HIGH PATCH This Week

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization VMware RCE Cloud Foundation Identity Manager +3
NVD
CVSS 3.1
7.2
EPSS
3.0%
CVE-2022-22957 HIGH POC PATCH THREAT Act Now

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization VMware RCE Cloud Foundation Identity Manager +3
NVD GitHub
CVSS 3.1
7.2
EPSS
23.1%
CVE-2022-22954 CRITICAL POC KEV THREAT Emergency

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

VMware RCE Code Injection Identity Manager Vrealize Automation +3
NVD
CVSS 3.1
9.8
EPSS
100.0%
CVE-2021-21980 HIGH PATCH This Week

The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
7.5
EPSS
4.6%
CVE-2021-22048 HIGH PATCH This Week

The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Microsoft Privilege Escalation VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
8.8
EPSS
10.0%
CVE-2021-22035 MEDIUM PATCH This Month

VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Code Injection VMware Cloud Foundation Vrealize Log Insight Vrealize Suite Lifecycle Manager
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2021-22033 LOW PATCH Monitor

Releases prior to VMware vRealize Operations 8.6 contain a Server Side Request Forgery (SSRF) vulnerability. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF VMware Cloud Foundation Vrealize Operations Vrealize Suite Lifecycle Manager
NVD
CVSS 3.1
2.7
EPSS
0.6%
CVE-2021-22020 MEDIUM PATCH This Month

The vCenter Server contains a denial-of-service vulnerability in the Analytics service. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2021-22019 HIGH PATCH This Week

The vCenter Server contains a denial-of-service vulnerability in VAPI (vCenter API) service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2021-22018 MEDIUM PATCH This Month

The vCenter Server contains an arbitrary file deletion vulnerability in a VMware vSphere Life-cycle Manager plug-in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2021-22016 MEDIUM PATCH This Month

The vCenter Server contains a reflected cross-site scripting vulnerability due to a lack of input sanitization. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-22015 HIGH POC PATCH Act Now

The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Privilege Escalation Path Traversal Information Disclosure VMware Cloud Foundation +1
NVD
CVSS 3.1
7.8
EPSS
1.8%
CVE-2021-22014 HIGH PATCH This Week

The vCenter Server contains an authenticated code execution vulnerability in VAMI (Virtual Appliance Management Infrastructure). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
7.2
EPSS
1.5%
CVE-2021-22013 HIGH PATCH This Week

The vCenter Server contains a file path traversal vulnerability leading to information disclosure in the appliance management API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal Information Disclosure VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2021-22012 HIGH PATCH This Week

The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

VMware Information Disclosure Authentication Bypass Cloud Foundation Vcenter Server
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-22011 MEDIUM PATCH This Month

vCenter Server contains an unauthenticated API endpoint vulnerability in vCenter Server Content Library. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
5.3
EPSS
1.1%
CVE-2021-22010 HIGH PATCH This Week

The vCenter Server contains a denial-of-service vulnerability in VPXD service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2021-22009 HIGH PATCH This Week

The vCenter Server contains multiple denial-of-service vulnerabilities in VAPI (vCenter API) service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Resource to Wrong Sphere vulnerability could allow attackers to access resources from an unintended security context.

Denial Of Service Information Disclosure VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2021-22008 HIGH PATCH This Week

The vCenter Server contains an information disclosure vulnerability in VAPI (vCenter API) service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2021-22007 MEDIUM PATCH This Month

The vCenter Server contains a local information disclosure vulnerability in the Analytics service. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2021-22006 HIGH PATCH This Week

The vCenter Server contains a reverse proxy bypass vulnerability due to the way the endpoints handle the URI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
7.5
EPSS
6.3%
CVE-2021-22005 CRITICAL POC KEV PATCH THREAT Act Now

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal File Upload VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
9.8
EPSS
100.0%
CVE-2021-21993 MEDIUM PATCH This Month

The vCenter Server contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in vCenter Server Content Library. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Information Disclosure VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-21992 MEDIUM This Month

The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-21991 HIGH PATCH This Week

The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Privilege Escalation VMware Cloud Foundation Vcenter Server
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2021-22003 HIGH PATCH This Week

VMware Workspace ONE Access and Identity Manager, unintentionally provide a login interface on port 7443. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure VMware Identity Manager Workspace One Access Cloud Foundation +1
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-22002 CRITICAL PATCH Act Now

VMware Workspace ONE Access and Identity Manager, allow the /cfg web app and diagnostic endpoints, on port 8443, to be accessed via port 443 using a custom host header. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

VMware Authentication Bypass Identity Manager Workspace One Access Cloud Foundation +1
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-22021 MEDIUM PATCH This Month

VMware vRealize Log Insight (8.x prior to 8.4) contains a Cross Site Scripting (XSS) vulnerability due to improper user input validation. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS VMware Cloud Foundation Vrealize Log Insight
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-22027 HIGH PATCH This Week

The vRealize Operations Manager API (8.x prior to 8.5) contains a Server Side Request Forgery in an end point. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Information Disclosure Cloud Foundation Vrealize Operations Manager Vrealize Suite Lifecycle Manager
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-22026 HIGH PATCH This Week

The vRealize Operations Manager API (8.x prior to 8.5) contains a Server Side Request Forgery in an end point. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Information Disclosure Cloud Foundation Vrealize Operations Manager Vrealize Suite Lifecycle Manager
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-22025 HIGH PATCH This Week

The vRealize Operations Manager API (8.x prior to 8.5) contains a broken access control vulnerability leading to unauthenticated API access. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Cloud Foundation Vrealize Operations Manager Vrealize Suite Lifecycle Manager
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2021-22024 HIGH PATCH This Week

The vRealize Operations Manager API (8.x prior to 8.5) contains an arbitrary log-file read vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Cloud Foundation Vrealize Operations Manager Vrealize Suite Lifecycle Manager
NVD
CVSS 3.1
7.5
EPSS
1.0%
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

Privilege escalation in VMware Aria Operations allows authenticated users with vCenter access to escalate their privileges to administrative level within Aria Operations. The vulnerability affects multiple Broadcom products including Telco Cloud Platform, Aria Operations, and Cloud Foundation, requiring administrative intervention but no user interaction to exploit. Patches are available through VMSA-2026-0001.

VMware Broadcom Privilege Escalation +4
NVD
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Stored XSS in VMware Aria Operations allows authenticated users with benchmark creation privileges to inject malicious scripts and execute arbitrary administrative actions within the platform. This vulnerability affects VMware, Broadcom, and Telco Cloud Infrastructure products with a CVSS score of 8.0, requiring user interaction to trigger the attack. Patches are available through VMSA-2026-0001.

VMware Broadcom XSS +4
NVD
EPSS 7% CVSS 8.1
HIGH KEV PATCH THREAT Act Now

VMware Aria Operations contains a command injection vulnerability (CVE-2026-22719, CVSS 8.1) that allows unauthenticated remote attackers to execute arbitrary commands during support-assisted product migration. KEV-listed with patches available, this vulnerability targets the infrastructure monitoring platform that has visibility into the entire virtualized environment.

VMware Broadcom RCE +5
NVD
EPSS 0% CVSS 7.8
HIGH POC KEV PATCH THREAT Act Now

VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Privilege Escalation VMware Aria Operations +9
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

VMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the router port due to improper input validation.

XSS VMware Vmware Nsx +3
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

VMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the gateway firewall due to improper input validation.

XSS VMware Telco Cloud Infrastructure +3
NVD
EPSS 0% CVSS 7.5
HIGH This Week

VMware NSX Manager UI is vulnerable to stored cross-site scripting (XSS) attacks via improper input validation in user-controllable fields (CWE-79). An authenticated attacker with high privileges can inject malicious scripts that persist in the application and execute in the browsers of other users, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. With a CVSS score of 7.5 and network-accessible attack vector, this vulnerability poses a moderate-to-high risk to NSX Manager deployments, particularly in multi-user environments.

XSS VMware Telco Cloud Platform +3
NVD
EPSS 0% CVSS 7.3
HIGH This Month

VMware Cloud Foundation contains a missing authorisation vulnerability. Rated high severity (CVSS 7.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass VMware Cloud Foundation
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS VMware Aria Automation +2
NVD
EPSS 7% CVSS 7.1
HIGH KEV THREAT Act Now

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability via HGFS out-of-bounds read, allowing VM administrators to leak memory from the VMX process on the host.

Information Disclosure Buffer Overflow VMware +6
NVD
EPSS 8% CVSS 8.2
HIGH KEV THREAT Act Now

VMware ESXi contains an arbitrary write vulnerability that allows privileged VMX process users to trigger kernel writes, enabling escape from the VMX sandbox to the ESXi kernel.

Memory Corruption Buffer Overflow VMware +4
NVD
EPSS 53% CVSS 9.3
CRITICAL KEV THREAT Emergency

VMware ESXi and Workstation contain a TOCTOU race condition leading to out-of-bounds write, allowing local administrators on VMs to escape the sandbox and execute code as the VMX process on the host.

Buffer Overflow VMware ESXi +4
NVD
EPSS 1% CVSS 7.7
HIGH This Month

VMware Aria Operations contains an information disclosure vulnerability. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

VMware Information Disclosure Aria Operations +1
NVD
EPSS 0% CVSS 5.2
MEDIUM This Month

VMware Aria Operation for Logs contains a stored cross-site scripting vulnerability. Rated medium severity (CVSS 5.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

VMware XSS Aria Operations For Logs +1
NVD
EPSS 0% CVSS 4.3
MEDIUM Monitor

VMware Aria Operations for Logs contains a privilege escalation vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation VMware Aria Operations For Logs +1
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

VMware Aria Operations for Logs contains a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

VMware XSS Aria Operations For Logs +1
NVD
EPSS 1% CVSS 8.5
HIGH This Month

VMware Aria Operations for Logs contains an information disclosure vulnerability. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

VMware Information Disclosure Aria Operations For Logs +1
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

VMware Aria Operations contains a stored cross-site scripting vulnerability. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS VMware Aria Operations +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

VMware Aria Operations contains a stored cross-site scripting vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS VMware Aria Operations +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

VMware Aria Operations contains a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS VMware Aria Operations +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

VMware Aria Operations contains a local privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Command Injection VMware +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

VMware Aria Operations contains a local privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation VMware Aria Operations +1
NVD
EPSS 17% CVSS 9.8
CRITICAL KEV THREAT Act Now

The vCenter Server contains a privilege escalation vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation VMware Cloud Foundation +1
NVD
EPSS 54% CVSS 9.8
CRITICAL KEV THREAT Act Now

The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow VMware +3
NVD
EPSS 0% CVSS 8.1
HIGH This Week

VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi VMware Aria Automation +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

The vCenter Server contains a denial-of-service vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure VMware Cloud Foundation +1
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

VMware ESXi contains an out-of-bounds read vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure VMware +2
NVD
EPSS 5% CVSS 7.8
HIGH POC Act Now

The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation VMware Vcenter Server +1
NVD
EPSS 22% CVSS 9.8
CRITICAL KEV PATCH THREAT Act Now

vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow VMware RCE +3
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

The vCenter Server contains a partial file read vulnerability. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure VMware Cloud Foundation +1
NVD
EPSS 2% CVSS 7.2
HIGH This Week

The vCenter Server contains an authenticated remote code execution vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE VMware +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

The storage controllers on VMware ESXi, Workstation, and Fusion have out-of-bounds read/write vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure VMware +5
NVD
EPSS 2% CVSS 7.1
HIGH This Week

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability in the UHCI USB controller. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure VMware Denial Of Service +4
NVD
EPSS 1% CVSS 8.2
HIGH This Week

VMware ESXi contains an out-of-bounds write vulnerability. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow VMware Memory Corruption +2
NVD
EPSS 1% CVSS 6.7
MEDIUM This Month

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the UHCI USB controller. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Use After Free VMware RCE +5
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

VMware Aria Operations contains a local privilege escalation vulnerability. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation VMware Aria Operations +1
NVD
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

VMware Aria Operations contains a local privilege escalation vulnerability. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation VMware Aria Operations +1
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Information Disclosure VMware Open Redirect +4
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

VMware Aria Operations contains a privilege escalation vulnerability. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation VMware Authentication Bypass +2
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

VMware Aria Operations contains a Local privilege escalation vulnerability. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation VMware Cloud Foundation +1
NVD
EPSS 1% CVSS 7.2
HIGH This Week

VMware Aria Operations contains a deserialization vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

VMware Deserialization Cloud Foundation +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

VMware Aria Operations contains a privilege escalation vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation RCE VMware +3
NVD
EPSS 2% CVSS 7.2
HIGH This Week

VMware Aria Operations for Logs contains a command injection vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

VMware Command Injection Aria Operations For Logs +1
NVD
EPSS 70% CVSS 9.8
CRITICAL POC THREAT Act Now

VMware Aria Operations for Logs contains a deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE VMware Deserialization +2
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass VMware Access +2
NVD
EPSS 1% CVSS 7.2
HIGH This Week

VMware Workspace ONE Access and Identity Manager contain an authenticated remote code execution vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE VMware Access +2
NVD
EPSS 0% CVSS 3.3
LOW Monitor

VMware ESXi contains a heap-overflow vulnerability. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Information Disclosure VMware +3
NVD
EPSS 48% CVSS 5.3
MEDIUM This Month

The vCenter Server contains a denial-of-service vulnerability in the content library service. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

VMware Denial Of Service Cloud Foundation +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

The vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plaintext. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure VMware Vcenter Server +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

VMware ESXi contains a memory corruption vulnerability that exists in the way it handles a network socket. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Memory Corruption VMware Buffer Overflow +2
NVD
EPSS 8% CVSS 9.1
CRITICAL POC Act Now

VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure XXE VMware +2
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

VMware ESXi contains a null-pointer deference vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

VMware Null Pointer Dereference Denial Of Service +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

The vCenter Server contains a server-side request forgery (SSRF) vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

VMware SSRF Cloud Foundation +1
NVD
EPSS 2% CVSS 7.8
HIGH This Week

VMware Workspace ONE Access and Identity Manager contain a privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

VMware Privilege Escalation Identity Manager +3
NVD
EPSS 53% CVSS 9.8
CRITICAL POC THREAT Act Now

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

VMware Authentication Bypass Identity Manager +4
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an information disclosure vulnerability due to returning excess information. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

VMware Information Disclosure Cloud Foundation +4
NVD
EPSS 37% CVSS 7.8
HIGH POC KEV PATCH THREAT Act Now

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

VMware Privilege Escalation Cloud Foundation +4
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a cross site request forgery vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

VMware CSRF Cloud Foundation +4
NVD
EPSS 3% CVSS 7.2
HIGH PATCH This Week

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization VMware RCE +5
NVD
EPSS 23% CVSS 7.2
HIGH POC PATCH THREAT Act Now

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization VMware RCE +5
NVD GitHub
EPSS 100% CVSS 9.8
CRITICAL POC KEV THREAT Emergency

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

VMware RCE Code Injection +5
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure VMware Cloud Foundation +1
NVD
EPSS 10% CVSS 8.8
HIGH PATCH This Week

The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Microsoft Privilege Escalation VMware +2
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Code Injection VMware Cloud Foundation +2
NVD
EPSS 1% CVSS 2.7
LOW PATCH Monitor

Releases prior to VMware vRealize Operations 8.6 contain a Server Side Request Forgery (SSRF) vulnerability. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF VMware Cloud Foundation +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The vCenter Server contains a denial-of-service vulnerability in the Analytics service. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure VMware Cloud Foundation +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

The vCenter Server contains a denial-of-service vulnerability in VAPI (vCenter API) service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service VMware Cloud Foundation +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

The vCenter Server contains an arbitrary file deletion vulnerability in a VMware vSphere Life-cycle Manager plug-in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure VMware Cloud Foundation +1
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The vCenter Server contains a reflected cross-site scripting vulnerability due to a lack of input sanitization. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS VMware Cloud Foundation +1
NVD
EPSS 2% CVSS 7.8
HIGH POC PATCH Act Now

The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Privilege Escalation Path Traversal Information Disclosure +3
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

The vCenter Server contains an authenticated code execution vulnerability in VAMI (Virtual Appliance Management Infrastructure). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE VMware Cloud Foundation +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

The vCenter Server contains a file path traversal vulnerability leading to information disclosure in the appliance management API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal Information Disclosure VMware +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

VMware Information Disclosure Authentication Bypass +2
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

vCenter Server contains an unauthenticated API endpoint vulnerability in vCenter Server Content Library. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure VMware Cloud Foundation +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

The vCenter Server contains a denial-of-service vulnerability in VPXD service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service VMware Cloud Foundation +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The vCenter Server contains multiple denial-of-service vulnerabilities in VAPI (vCenter API) service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Resource to Wrong Sphere vulnerability could allow attackers to access resources from an unintended security context.

Denial Of Service Information Disclosure VMware +2
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

The vCenter Server contains an information disclosure vulnerability in VAPI (vCenter API) service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure VMware Cloud Foundation +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The vCenter Server contains a local information disclosure vulnerability in the Analytics service. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure VMware Cloud Foundation +1
NVD
EPSS 6% CVSS 7.5
HIGH PATCH This Week

The vCenter Server contains a reverse proxy bypass vulnerability due to the way the endpoints handle the URI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass VMware Cloud Foundation +1
NVD
EPSS 100% CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal File Upload VMware +2
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

The vCenter Server contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in vCenter Server Content Library. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Information Disclosure VMware +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure VMware Cloud Foundation +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Privilege Escalation VMware Cloud Foundation +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

VMware Workspace ONE Access and Identity Manager, unintentionally provide a login interface on port 7443. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure VMware Identity Manager +3
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

VMware Workspace ONE Access and Identity Manager, allow the /cfg web app and diagnostic endpoints, on port 8443, to be accessed via port 443 using a custom host header. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

VMware Authentication Bypass Identity Manager +3
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

VMware vRealize Log Insight (8.x prior to 8.4) contains a Cross Site Scripting (XSS) vulnerability due to improper user input validation. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS VMware Cloud Foundation +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The vRealize Operations Manager API (8.x prior to 8.5) contains a Server Side Request Forgery in an end point. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Information Disclosure Cloud Foundation +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The vRealize Operations Manager API (8.x prior to 8.5) contains a Server Side Request Forgery in an end point. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Information Disclosure Cloud Foundation +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The vRealize Operations Manager API (8.x prior to 8.5) contains a broken access control vulnerability leading to unauthenticated API access. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Cloud Foundation Vrealize Operations Manager +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The vRealize Operations Manager API (8.x prior to 8.5) contains an arbitrary log-file read vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Cloud Foundation Vrealize Operations Manager +1
NVD
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy