VMware Aria Operations Vulnerability Could Allow Remote Code Execution

Broadcom has released patches for several vulnerabilities affecting VMware Aria Operations, including high-severity flaws.

The most important of the newly patched vulnerabilities based on CVSS score (8.1) is CVE-2026-22719, a command injection issue that can be exploited by an unauthenticated attacker.

“A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress,” Broadcom explained in its advisory.

Another high-severity issue patched in Aria Operations (with a CVSS score of 8.0) is CVE-2026-22720, a stored cross-site scripting (XSS) flaw that can allow an attacker with permission to create custom benchmarks to inject scripts to perform administrative actions. 

The third and last vulnerability patched with the latest round of updates is CVE-2026-22721, a medium-severity privilege escalation issue that can be exploited to obtain administrative access.

Patches for the vulnerabilities are included ...