Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
The error consists of improper neutralization of argument separators in commands (CWE-88). Attacker may pass crafted data to the CloudPagesUrl module containing additional arguments that are not properly filtered or isolated. As a result, injection of unauthorized arguments into web service calls is possible, allowing manipulation of their behavior in a manner unintended by software creators.
Attacker may gain unauthorized access to data (confidentiality breach), modify or falsify data processed by services (integrity breach) and potentially disrupt their operation (availability breach) — all three aspects rated as high in the CVSS vector.
Salesforce implemented a server-side patch on January 21, 2026. Administrators should verify that their Marketing Cloud Engagement instance has been updated to a version released after this date and review details available in the official Salesforce technical support article (ID: 005299346).
Salesforce Marketing Cloud Engagement in all versions before January 21, 2026 (affects CloudPagesUrl module).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSalesforce Marketing Cloud Engagement
APPSalesforce< 2026-01-21
Related vulnerabilities
Argument Injection w Salesforce Marketing Cloud Engagement (MicrositeUrl)
Salesforce Marketing Cloud Engagement — słaby algorytm kryptograficzny (RCE-class)
Zahardkodowany klucz kryptograficzny w Salesforce Marketing Cloud Engagement
Code Injection w Salesforce Uni2TS — zdalne wykonanie kodu
MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime compon...