CRITICAL🇵🇱 Wersja polska

CVE-2026-22585

CVSS 9.8v3.1pub. 2026-01-24upd. 2026-02-12

Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.

🤖 AI Analysis
How it works

According to CWE-327 (Use of a Broken or Risky Cryptographic Algorithm), the vulnerability results from the use of an insecure cryptographic algorithm in the CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, and View As Webpage modules. Weak cryptography allows an attacker to manipulate communication with network services (Web Services Protocol Manipulation), which may include forgery, modification, or decryption of protected data transmitted by these modules. The attack is possible remotely, over the network, without requiring privileges or user engagement.

Impact

An attacker can gain full control over the confidentiality, integrity, and availability of data processed by vulnerable modules — including potentially hijacking or modifying subscriber data and marketing campaign configuration.

Mitigation & patch

Salesforce implemented a server-side patch dated January 21, 2026 — SaaS environments should be automatically updated. Administrators should verify their environment version and follow the vendor's recommendations available at: https://help.salesforce.com/s/articleView?id=005299346&type=1

Who is affected

Salesforce Marketing Cloud Engagement in all versions before January 21, 2026 — modules: CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Salesforce Marketing Cloud Engagement

    APP
    Salesforce
    < 2026-01-21
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-22582CRITICAL9.8PL ✓ten sam produkt

Argument Injection w Salesforce Marketing Cloud Engagement (MicrositeUrl)

CVE-2026-22583CRITICAL9.8PL ✓ten sam produkt

Argument Injection w Salesforce Marketing Cloud Engagement (CloudPagesUrl)

CVE-2026-22586CRITICAL9.8PL ✓ten sam produkt

Zahardkodowany klucz kryptograficzny w Salesforce Marketing Cloud Engagement

CVE-2026-22584CRITICAL9.8PL ✓ten sam vendor

Code Injection w Salesforce Uni2TS — zdalne wykonanie kodu

CVE-2021-1626CRITICAL9.8ten sam vendor

MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime compon...