Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
The flaw consists of improper neutralization of argument-separating characters in a command (CWE-88 — Argument Injection). An attacker can supply specially crafted input data to the MicrositeUrl module, which is then interpreted as additional command arguments or service invocation parameters. As a result, it is possible to manipulate the behavior of web services in ways not anticipated by the application.
A remote, unauthenticated attacker can gain full access to the confidentiality, integrity, and availability of the resource — which corresponds to C:H/I:H/A:H ratings in the CVSS vector. Unauthorized data reading, modification or destruction, as well as service disruption are possible.
Salesforce deployed a patch on January 21, 2026. Ensure that the Marketing Cloud Engagement instance in use is updated to a version after this date. Details are available in the Salesforce support article (ID: 005299346).
Salesforce Marketing Cloud Engagement (MicrositeUrl module) — all versions prior to January 21, 2026.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSalesforce Marketing Cloud Engagement
APPSalesforce< 2026-01-21
Related vulnerabilities
Argument Injection w Salesforce Marketing Cloud Engagement (CloudPagesUrl)
Salesforce Marketing Cloud Engagement — słaby algorytm kryptograficzny (RCE-class)
Zahardkodowany klucz kryptograficzny w Salesforce Marketing Cloud Engagement
Code Injection w Salesforce Uni2TS — zdalne wykonanie kodu
MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime compon...