Vendor scorecard
VMware
VMware security disclosure record — CVE volume, CVSS severity mix and product-category breakdown, sourced from the NIST NVD.
CPE: vmware
Product families
3
Open in latest
19
Inferred — see methodology
Last disclosure
May 12, 2026
01
Product categories
3 trackedCVE volume, severity mix and the inferred latest shipping version per category.
| Category | CVEs | Volume | Severity mix | Open | Inferred latest |
|---|---|---|---|---|---|
| NSXNGFW / Network Security · Network Management & Monitoringnsx, nsx-t_data_center, nsx_data_center_for_vsphere | 0 | 0 | unknown | ||
| SD-WAN (VeloCloud)SD-WAN & SASEsd-wan, sd-wan_edge, sd-wan_orchestrator | 0 | 19 | 13.2.1MED | ||
| Avi Load BalancerApplication Delivery / ADCavi_load_balancer, nsx_advanced_load_balancer | 0 | 0 | unknown |
02
Recent CVEs
12 shownMost recently published, newest first. Each ID links to its NVD record.
| CVE | Severity | CVSS | Summary | Published |
|---|---|---|---|---|
| CVE-2026-44871(opens NVD record) | High | 7.2 | Command injection vulnerabilities exist in the command line interface (CLI) service accessed by the PAPI protocol of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | May 12, 2026 |
| CVE-2026-44873(opens NVD record) | Medium | 5.4 | A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled. | May 12, 2026 |
| CVE-2026-44872(opens NVD record) | High | 7.2 | A command injection vulnerability exists in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to place arbitrary files on the underlying filesystem of the affected device. | May 12, 2026 |
| CVE-2026-44870(opens NVD record) | High | 7.2 | Command injection vulnerabilities exist in the command line interface (CLI) service accessed by the PAPI protocol of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | May 12, 2026 |
| CVE-2026-44869(opens NVD record) | High | 7.2 | Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | May 12, 2026 |
| CVE-2026-44868(opens NVD record) | High | 7.2 | Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | May 12, 2026 |
| CVE-2026-44867(opens NVD record) | High | 7.2 | Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | May 12, 2026 |
| CVE-2026-44866(opens NVD record) | High | 7.2 | Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | May 12, 2026 |
| CVE-2026-44865(opens NVD record) | High | 7.2 | Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system. | May 12, 2026 |
| CVE-2026-44864(opens NVD record) | High | 7.2 | SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system. | May 12, 2026 |
| CVE-2026-44863(opens NVD record) | High | 7.2 | SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system. | May 12, 2026 |
| CVE-2026-44862(opens NVD record) | High | 7.2 | SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system. | May 12, 2026 |
0 CVEs · 3 product families