VMware on Wednesday patched an important vulnerability in its ESXi hypervisor, part of its suite of VSphere virtualization products, that could allow stored for cross-site scripting.

According to a VMware security advisory, attackers can exploit the flaw if they have permission to manage virtual machines through the ESXi Host Client, or if they con the vSphere administration into importing a specially crafted VM. Officially designated CVE-2016-7463, the vulnerability affects product versions 5.5 and 6.0, but not 6.5.

VMware has warned its users not to import VMs from untrusted sources. The company credited researcher Caleb Watt for discovering the issue.