CRITICAL🇵🇱 Wersja polska

CVE-2026-22582

CVSS 9.8v3.1pub. 2026-01-24upd. 2026-02-12

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.

🤖 AI Analysis
How it works

The flaw consists of improper neutralization of argument-separating characters in a command (CWE-88 — Argument Injection). An attacker can supply specially crafted input data to the MicrositeUrl module, which is then interpreted as additional command arguments or service invocation parameters. As a result, it is possible to manipulate the behavior of web services in ways not anticipated by the application.

Impact

A remote, unauthenticated attacker can gain full access to the confidentiality, integrity, and availability of the resource — which corresponds to C:H/I:H/A:H ratings in the CVSS vector. Unauthorized data reading, modification or destruction, as well as service disruption are possible.

Mitigation & patch

Salesforce deployed a patch on January 21, 2026. Ensure that the Marketing Cloud Engagement instance in use is updated to a version after this date. Details are available in the Salesforce support article (ID: 005299346).

Who is affected

Salesforce Marketing Cloud Engagement (MicrositeUrl module) — all versions prior to January 21, 2026.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Salesforce Marketing Cloud Engagement

    APP
    Salesforce
    < 2026-01-21
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-22583CRITICAL9.8PL ✓ten sam produkt

Argument Injection w Salesforce Marketing Cloud Engagement (CloudPagesUrl)

CVE-2026-22585CRITICAL9.8PL ✓ten sam produkt

Salesforce Marketing Cloud Engagement — słaby algorytm kryptograficzny (RCE-class)

CVE-2026-22586CRITICAL9.8PL ✓ten sam produkt

Zahardkodowany klucz kryptograficzny w Salesforce Marketing Cloud Engagement

CVE-2026-22584CRITICAL9.8PL ✓ten sam vendor

Code Injection w Salesforce Uni2TS — zdalne wykonanie kodu

CVE-2021-1626CRITICAL9.8ten sam vendor

MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime compon...