Skip to main content

Marketing Cloud Engagement CVE-2026-2298

| EUVDEUVD-2026-14512 CRITICAL
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-03-23 Salesforce
9.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 23, 2026 - 20:00 euvd
EUVD-2026-14512
Analysis Generated
Mar 23, 2026 - 20:00 vuln.today
CVE Published
Mar 23, 2026 - 19:54 nvd
CRITICAL 9.4

DescriptionCVE.org

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 30th, 2026.

AnalysisAI

An Improper Neutralization of Argument Delimiters (Argument Injection) vulnerability exists in Salesforce Marketing Cloud Engagement that allows attackers to manipulate Web Services Protocol interactions through command injection. All versions of Marketing Cloud Engagement released before January 30th, 2026 are affected. An attacker with network access to the affected service can inject malicious arguments into commands, potentially leading to unauthorized actions, data exfiltration, or service compromise. No CVSS score, EPSS data, or confirmed public POC are currently available, but the vulnerability has been officially disclosed by Salesforce with a patch deadline, indicating active remediation efforts.

Technical ContextAI

The vulnerability is classified under CWE-88 (Improper Neutralization of Argument Delimiters in a Command), which describes a weakness where user-controlled input is improperly validated before being used as command arguments. In the context of Salesforce Marketing Cloud Engagement (identified via CPE cpe:2.3:a:salesforce:marketing_cloud_engagement:*:*:*:*:*:*:*:*), the affected Web Services Protocol implementation fails to properly sanitize or escape argument delimiters. This allows attackers to break out of intended argument boundaries and inject arbitrary commands or parameters that the underlying service will execute. The root cause involves insufficient input validation at the protocol interpretation layer, where argument parsing does not account for special delimiter characters that could be supplied by an attacker.

RemediationAI

Organizations must apply the Salesforce patch released on or after January 30th, 2026 to all Marketing Cloud Engagement instances. Consult the official Salesforce security advisory at https://help.salesforce.com/s/articleView?id=005299346&type=1 for specific version numbers and upgrade procedures. Immediate interim mitigation should include restricting network access to Marketing Cloud Engagement Web Services endpoints to only authorized IP ranges and authenticated accounts, implementing network-level monitoring for suspicious argument patterns in service requests, and disabling any unnecessary Web Services APIs or integrations until the patch can be deployed. Organizations should also audit recent Web Services logs for evidence of attempted argument injection attacks or suspicious command patterns that may indicate prior exploitation attempts.

Share

CVE-2026-2298 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy