What is CVE-2026-22720?

CVE-2026-22720 is a high-severity stored cross-site scripting vulnerability in VMware Aria Operations. Attackers with privileges can inject scripts to perform unauthorized actions. Immediate patching is essential to mitigate risks.

What is the severity of CVE-2026-22720?

CVE-2026-22720 has a severity rating of HIGH with a CVSS base score of 8.

CVE-2026-22720 | High Vulnerability in VMware Aria Operations

CVE-2026-22720 is a high-severity stored cross-site scripting vulnerability affecting VMware Aria Operations. This vulnerability allows a malicious actor with privileges to create custom benchmarks to inject malicious scripts. These scripts can be exploited to perform unauthorized administrative actions within VMware Aria Operations. The CVSS score for this vulnerability is 8, indicating a high level of severity. This critical flaw can pose significant risks to organizations utilizing the affected software, as it could lead to unauthorized access and manipulation of sensitive data.

Risk to organizations includes potential data compromise, operational disruptions, and unauthorized administrative access. The vulnerability has been confirmed and requires urgent attention, as attackers may leverage this weakness to exploit systems if patches are not applied promptly. Organizations should prioritize patching immediately.

The vulnerability was published on February 25, 2026, and its implications are significant, especially for organizations relying on VMware products for their operations. Patching is vital to prevent exploitation, and VMware has provided remediation steps through their advisory.

To remediate CVE-2026-22720, organizations should apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' of VMSA-2026-0001.

Vulnerability Details

The official description states that VMware Aria Operations contains a stored cross-site scripting vulnerability. The CVSS score from the NVD is 9, indicating critical severity, while VMware provides a slightly lower score of 8. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation ('cross-site scripting').

The affected products include VMware Aria Operations, Cloud Foundation, Telco Cloud Infrastructure, and Telco Cloud Platform, specifically versions before the vendor patch.

Technical Analysis

The root cause of this vulnerability is the lack of proper input validation, allowing for the execution of arbitrary scripts. The attack vector is network-based, and the complexity of the attack is low. Attackers require low privileges and user interaction is necessary to execute the attack. The impact on confidentiality, integrity, and availability is high.

Risk & Impact Analysis

Real-world deployment risk is significant, as this vulnerability could allow attackers to gain unauthorized access and manipulate sensitive data. Organizations using affected VMware products are at high risk of data breaches and operational disruption due to the ease of exploitation. The urgency for remediation is high, given the critical nature of the vulnerability and the potential for significant damage.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected versions include VMware Aria Operations versions from 8.0 to less than 8.18.6, Cloud Foundation from 4.0 to less than 5.2.3, Telco Cloud Infrastructure from 2.2 to 3.0, and Telco Cloud Platform from 4.0 to 5.1. Organizations should ensure that they are using fixed versions to mitigate this vulnerability.

Mitigation & Remediation

To mitigate CVE-2026-22720, apply the patches provided in the advisory. Organizations should update their VMware products to the fixed versions listed in the 'Response Matrix' of VMSA-2026-0001. In cases where immediate patching is not possible, consider implementing network controls to limit access to affected systems and enhance monitoring to detect potential exploitation attempts.

Detection Guidance

Organizations should monitor logs for signs of unauthorized script execution and any anomalous administrative actions. Behavioral anomalies, particularly around user interactions with benchmarks, should be investigated. Establish network signatures to detect unusual activity that may indicate attempts to exploit this vulnerability.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2026-22720 lies in its demonstration of the critical vulnerabilities that can exist within widely used software products. This incident highlights the importance of regular vulnerability assessments and robust patch management practices. Organizations should learn from this vulnerability to bolster their defenses and ensure that security protocols are in place to address similar issues in the future. For more insights, organizations can refer to the vulnerability management program and consider conducting regular penetration testing to identify potential weaknesses across their systems. Additionally, organizations should explore security testing best practices to stay ahead of emerging threats.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-22720: High Vulnerability in VMware Aria Operations