Back to KEVs

CVE-2026-22719

VMware Aria Operations command injection vulnerability

Basic Information

CVE State
PUBLISHED
Reserved Date
January 09, 2026
Published Date
February 25, 2026
Last Updated
April 14, 2026
Vendor
VMware
Product
VMware Aria Operations, VMware Cloud Foundation Operations, Telco Cloud Platform, Telco Cloud Infrastructure
Description
VMware Aria Operations contains a command injection vulnerability. A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress.  To remediate CVE-2026-22719, apply the patches listed in the 'Fixed Version' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001  Workarounds for CVE-2026-22719 are documented in the 'Workarounds' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001
Tags
cisa

CVSS Scores

CVSS v3.1

8.1 - HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-06-01 11:37:52 UTC) Source

References

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 https://knowledge.broadcom.com/external/article/430349 https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations/8-18/vmware-aria-operations-8186-release-notes.html

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 11:37:52 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel