CRITICAL🇵🇱 Wersja polska

CVE-2026-22583

CVSS 9.8v3.1pub. 2026-01-24upd. 2026-02-12

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.

🤖 AI Analysis
How it works

The error consists of improper neutralization of argument separators in commands (CWE-88). Attacker may pass crafted data to the CloudPagesUrl module containing additional arguments that are not properly filtered or isolated. As a result, injection of unauthorized arguments into web service calls is possible, allowing manipulation of their behavior in a manner unintended by software creators.

Impact

Attacker may gain unauthorized access to data (confidentiality breach), modify or falsify data processed by services (integrity breach) and potentially disrupt their operation (availability breach) — all three aspects rated as high in the CVSS vector.

Mitigation & patch

Salesforce implemented a server-side patch on January 21, 2026. Administrators should verify that their Marketing Cloud Engagement instance has been updated to a version released after this date and review details available in the official Salesforce technical support article (ID: 005299346).

Who is affected

Salesforce Marketing Cloud Engagement in all versions before January 21, 2026 (affects CloudPagesUrl module).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Salesforce Marketing Cloud Engagement

    APP
    Salesforce
    < 2026-01-21
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-22582CRITICAL9.8PL ✓ten sam produkt

Argument Injection w Salesforce Marketing Cloud Engagement (MicrositeUrl)

CVE-2026-22585CRITICAL9.8PL ✓ten sam produkt

Salesforce Marketing Cloud Engagement — słaby algorytm kryptograficzny (RCE-class)

CVE-2026-22586CRITICAL9.8PL ✓ten sam produkt

Zahardkodowany klucz kryptograficzny w Salesforce Marketing Cloud Engagement

CVE-2026-22584CRITICAL9.8PL ✓ten sam vendor

Code Injection w Salesforce Uni2TS — zdalne wykonanie kodu

CVE-2021-1626CRITICAL9.8ten sam vendor

MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime compon...