VMware Aria Operations contains a command injection vulnerability. A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress.
To remediate CVE-2026-22719, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' in VMSA-2026-0001
Workarounds for CVE-2026-22719 are documented in the 'Workarounds' column of the 'Response Matrix' in VMSA-2026-0001
"}]}],"references":[{"url":"https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947","name":"VMSA-2026-0001: VMware Aria Operations updates (includes CVE-2026-22719)","tags":["vendor-advisory"]},{"url":"https://knowledge.broadcom.com/external/article/430349","name":"KB430349: Workaround instructions for CVE-2026-22719","tags":["mitigation"]},{"url":"https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations/8-18/vmware-aria-operations-8186-release-notes.html","name":"VMware Aria Operations 8.18.6 Release Notes (resolves CVE-2026-22719)","tags":["release-notes"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseSeverity":"HIGH","baseScore":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}],"workarounds":[{"lang":"en","value":"Workarounds are available and documented by the vendor (see VMSA-2026-0001 KB430349) https://knowledge.broadcom.com/external/article/430349 for environments where immediate patching is not possible.","supportingMedia":[{"type":"text/html","base64":false,"value":"Workarounds are available and documented by the vendor (see VMSA-2026-0001 KB430349) for environments where immediate patching is not possible.
"}]}],"solutions":[{"lang":"en","value":"Apply the vendor patches listed in the 'Fixed Version' column of the Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 in VMSA-2026-0001. Fixed versions include VMware Aria Operations 8.18.6 (for 8.x) and VMware Cloud Foundation Operations 9.0.2.0 (for 9.x).","supportingMedia":[{"type":"text/html","base64":false,"value":"Apply the vendor patches listed in the 'Fixed Version' column of the Response Matrix in VMSA-2026-0001. Fixed versions include VMware Aria Operations 8.18.6 (for 8.x) and VMware Cloud Foundation Operations 9.0.2.0 (for 9.x).
"}]}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-77","lang":"en","description":"CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}],"references":[{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-22719","tags":["government-resource"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-24T00:00:00+00:00","options":[{"Exploitation":"active"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3","id":"CVE-2026-22719"}}},{"other":{"type":"kev","content":{"dateAdded":"2026-03-03","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-22719"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-04T04:55:10.596Z"},"timeline":[{"time":"2026-03-03T00:00:00.000Z","lang":"en","value":"CVE-2026-22719 added to CISA KEV"}]}]}}