Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 30th, 2026.
AnalysisAI
An Improper Neutralization of Argument Delimiters (Argument Injection) vulnerability exists in Salesforce Marketing Cloud Engagement that allows attackers to manipulate Web Services Protocol interactions through command injection. All versions of Marketing Cloud Engagement released before January 30th, 2026 are affected. An attacker with network access to the affected service can inject malicious arguments into commands, potentially leading to unauthorized actions, data exfiltration, or service compromise. No CVSS score, EPSS data, or confirmed public POC are currently available, but the vulnerability has been officially disclosed by Salesforce with a patch deadline, indicating active remediation efforts.
Technical ContextAI
The vulnerability is classified under CWE-88 (Improper Neutralization of Argument Delimiters in a Command), which describes a weakness where user-controlled input is improperly validated before being used as command arguments. In the context of Salesforce Marketing Cloud Engagement (identified via CPE cpe:2.3:a:salesforce:marketing_cloud_engagement:*:*:*:*:*:*:*:*), the affected Web Services Protocol implementation fails to properly sanitize or escape argument delimiters. This allows attackers to break out of intended argument boundaries and inject arbitrary commands or parameters that the underlying service will execute. The root cause involves insufficient input validation at the protocol interpretation layer, where argument parsing does not account for special delimiter characters that could be supplied by an attacker.
RemediationAI
Organizations must apply the Salesforce patch released on or after January 30th, 2026 to all Marketing Cloud Engagement instances. Consult the official Salesforce security advisory at https://help.salesforce.com/s/articleView?id=005299346&type=1 for specific version numbers and upgrade procedures. Immediate interim mitigation should include restricting network access to Marketing Cloud Engagement Web Services endpoints to only authorized IP ranges and authenticated accounts, implementing network-level monitoring for suspicious argument patterns in service requests, and disabling any unnecessary Web Services APIs or integrations until the patch can be deployed. Organizations should also audit recent Web Services logs for evidence of attempted argument injection attacks or suspicious command patterns that may indicate prior exploitation attempts.
More in Marketing Cloud Engagement
View allArgument injection in Salesforce Marketing Cloud Engagement CloudPagesURL component. Second Salesforce Marketing Cloud C
Argument injection in Salesforce Marketing Cloud Engagement MicrositeURL component allows command execution. First of fo
Hardcoded cryptographic key in Salesforce Marketing Cloud Engagement used across CloudPages, Forward to a Friend, Profil
Use of broken/risky cryptographic algorithm in Salesforce Marketing Cloud Engagement affecting CloudPages, Forward to a
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14512