CRITICAL🇵🇱 Wersja polska

CVE-2026-22584

CVSS 9.8v3.1pub. 2026-01-09upd. 2026-01-22

Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable Files.This issue affects Uni2TS: through 1.2.0.

🤖 AI Analysis
How it works

The vulnerability results from improper code generation control (CWE-94) in Salesforce Uni2TS. An attacker can supply specially crafted input data, which is then interpreted and executed as code. The 'Leverage Executable Code in Non-Executable Files' mechanism allows embedding executable code in files that should not normally be treated as executable code, leading to its execution by the vulnerable application.

Impact

An attacker can gain full control over the system — achieve confidentiality, integrity, and availability at a critical level. Remote execution of arbitrary code (RCE) is possible on systems running Uni2TS.

Mitigation & patch

Apply patches available from the vendor according to references (https://help.salesforce.com/s/articleView?id=005239354&type=1). Until updating, it is recommended to restrict network access to systems with Uni2TS installed and monitor activity for unauthorized code execution.

Who is affected

Salesforce Uni2TS in all versions up to and including 1.2.0, running on MacOS, Windows, and Linux systems.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Salesforce Uni2ts

    APP
    Salesforce
    < 2.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-22586CRITICAL9.8PL ✓ten sam vendor

Zahardkodowany klucz kryptograficzny w Salesforce Marketing Cloud Engagement

CVE-2026-22582CRITICAL9.8PL ✓ten sam vendor

Argument Injection w Salesforce Marketing Cloud Engagement (MicrositeUrl)

CVE-2026-22583CRITICAL9.8PL ✓ten sam vendor

Argument Injection w Salesforce Marketing Cloud Engagement (CloudPagesUrl)

CVE-2026-22585CRITICAL9.8PL ✓ten sam vendor

Salesforce Marketing Cloud Engagement — słaby algorytm kryptograficzny (RCE-class)

CVE-2021-1627CRITICAL9.8ten sam vendor

MuleSoft is aware of a Server Side Request Forgery vulnerability affecting certain versions of a Mule runtime ...