Marketing Cloud Engagement
CVE-2026-22586
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
AnalysisAI
Hardcoded cryptographic key in Salesforce Marketing Cloud Engagement used across CloudPages, Forward to a Friend, Profile Center, and Subscription Center. Fourth critical Salesforce CVE.
Technical ContextAI
CWE-321 hardcoded cryptographic key shared across multiple Marketing Cloud components.
RemediationAI
Apply Salesforce security update. Rotate any derived keys.
More in Marketing Cloud Engagement
View allArgument injection in Salesforce Marketing Cloud Engagement CloudPagesURL component. Second Salesforce Marketing Cloud C
Argument injection in Salesforce Marketing Cloud Engagement MicrositeURL component allows command execution. First of fo
Use of broken/risky cryptographic algorithm in Salesforce Marketing Cloud Engagement affecting CloudPages, Forward to a
An Improper Neutralization of Argument Delimiters (Argument Injection) vulnerability exists in Salesforce Marketing Clou
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today