Is CVE-2026-22719 in the CISA KEV catalog?

Yes. CVE-2026-22719 is on the CISA Known Exploited Vulnerabilities list, added 2026-03-03.

What is the CVSS severity of CVE-2026-22719?

CVE-2026-22719 has a CVSS v3 base score of 8.1 (HIGH).

What is the EPSS score for CVE-2026-22719?

CVE-2026-22719 has an EPSS score of 17.42% (97th percentile), estimating the probability of exploitation in the next 30 days.

CVE & CISA-KEV Catalog

CVE-2026-22719

HIGHCISA KEVEPSS 97th pctl

8.1

CVSS v3

NVD

Description

VMware Aria Operations contains a command injection vulnerability. A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress. To remediate CVE-2026-22719, apply the patches listed in the 'Fixed Version' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001 Workarounds for CVE-2026-22719 are documented in the 'Workarounds' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001

CWE-77Command Injection

CVSS v3 Vector

Exploitability

Attack VectorNetwork

Attack ComplexityHigh

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

Impact

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploit Intelligence

17.42%probability of exploitation in 30 days

97thpercentile

Very high risk: more likely to be exploited than 97% of all known CVEs.

Known Exploited Vulnerability (CISA KEV)

Broadcom VMware Aria Operations Command Injection Vulnerability

Broadcom VMware Aria Operations formerly known as vRealize Operations (vROps) contains a command injection vulnerability that allows an unauthenticated attacker to execute arbitrary commands, potentially leading to remote code execution during support‑assisted product migration.

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Remediation due: 2026-03-24

References

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-03-04.