Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionGitHub Advisory
Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, which processes attacker-controlled cookie values in an unsafe manner. This vulnerability is fixed in 65.0.0.
AnalysisAI
Remote code execution in Workbench (forceworkbench) versions prior to 65.0.0 allows network-based attackers to execute arbitrary code by exploiting unsafe processing of attacker-controlled cookie values during timezone conversion operations. The vulnerability requires user interaction (CVSS UI:P) but no authentication (PR:N), enabling compromise of both the vulnerable component and other system components (scope change: SC:H/SI:H). EPSS score of 0.51% (66th percentile) indicates moderate exploitation probability. No active exploitation confirmed in CISA KEV at time of analysis. Vendor-released patch available in version 65.0.0 with public GitHub advisory and fix PR.
Technical ContextAI
Workbench (forceworkbench) is an administrative and development toolkit for Salesforce.com Force.com API interactions. The vulnerability stems from CWE-94 (Improper Control of Generation of Code/Code Injection), where the timezone conversion functionality fails to sanitize cookie values before processing them in a code execution context. The CVSS vector indicates network attack vector (AV:N) with low complexity (AC:L), suggesting the timezone conversion feature accepts cookie input without proper validation or encoding. CPE identifier cpe:2.3:a:forceworkbench:forceworkbench confirms this is the open-source Workbench project. Cookie-based code injection typically occurs when server-side code evaluates, deserializes, or dynamically executes content from HTTP cookies without strict input validation, allowing attackers to inject malicious payloads that execute with application privileges.
RemediationAI
Upgrade to forceworkbench version 65.0.0 or later immediately. The fix is documented in GitHub pull request #869 (https://github.com/forceworkbench/forceworkbench/pull/869) and vendor security advisory GHSA-jw63-m86r-2jxc (https://github.com/forceworkbench/forceworkbench/security/advisories/GHSA-jw63-m86r-2jxc). For environments unable to upgrade immediately: disable timezone conversion functionality if operationally feasible (trade-off: users cannot convert timestamps between zones, may impact usability for global teams). Implement strict cookie input validation and sanitization before any processing (trade-off: requires code modification and testing, may break legitimate timezone data formats). Deploy web application firewall rules to inspect and block cookie values containing code injection patterns such as eval(), exec(), system calls, or serialization signatures (trade-off: potential false positives may disrupt legitimate usage, requires tuning). Restrict Workbench access to trusted internal networks only via IP allowlisting (trade-off: prevents remote administrative access, may conflict with distributed team workflows). All workarounds are temporary mitigations; upgrading to 65.0.0 remains the definitive remediation.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19450